Brave new (digital) world
USA TODAY Network is one of the largest news outlets in the country, comprised of approximately 136 news and media brands in seven countries, and reaching about 130 million people a month. Print is still a major revenue source for the company, but it certainly isn’t immune to changes within the industry.
“Many of our news outlets come from a print background and, over the last five to ten years, have been transitioning to more of a digital brand just to keep pace with how our audience wants to receive information,” says Jamshid Khazenie, chief technology officer at USA TODAY Network. “Which means a lot of our brands are changing how they produce content, and the type of content they produce—the format, length, language, tone, packaging, and presentation.”
The shift towards digital and social media increases USA TODAY Network’s attack surface and makes it more likely to be targeted by hackers—some seeking to plant fake news stories on reputable sites, and others trying to access subscribers’ valuable personal data.
As security concerns have increased, USA TODAY Network has helped lead the movement to protect privacy and maintain journalistic integrity. “Trust is a very important subject around our workplace,” says Khazenie. “Especially in the age of fake news, being a trusted brand that people can rely on for accurate, well thought-out, well-researched information is very, very important to us.”
Maintaining public trust
These concerns launched a modernization journey at USA TODAY Network. Like most massive organizations, the company was built on a legacy identity infrastructure supported by on-premise products like Active Directory and protected by traditional, perimeter-based security tools. “We realized that as the cybersecurity landscape gets more complex and the risk levels continue to rise, we needed to revisit how we were controlling access to our products and our applications,” says Khazenie.
USA TODAY Network’s senior architect of enterprise infrastructure, David Snyder, elaborates: “As guardians of the First Amendment, USA TODAY Network is in the middle of the media bias spectrum, riding a critical edge between news reporting and fair analysis. We work very hard to maintain this position, but we're routinely and actively attacked by people who want to exploit public trust.”
Hackers don’t just target the news sites—they also regularly target USA TODAY Network’s reporters and editors. “We have to consider that incidents do happen, and device-based policies are not a silver bullet,” says Snyder. “It's important to improve our incident-response lifecycle, reduce workforce disruptions, and eliminate customer outages.”
With a diverse, global workforce, and a business model that’s built on making the news accessible through a variety of mediums, including mobile apps, desktop, social media, and even Internet of Things devices like Apple Homekit and Google Home, preventing breaches requires a modern, sensible approach to identity management.
"Our identity management is a security operation,” says Snyder. “Identity management is the first, last, and only line of defense in a lot of situations."
But strong identity management requires the right identity partner. USA TODAY Network needed a partner that shared its commitment to trust and reliability.
Friction-free access control
In 2016, Khazenie discovered Okta, and was impressed by its fresh approach to identity management, and its ability to support a hybrid IT infrastructure.
“On the one hand, we wanted to raise the bar in terms of system security, enforcing things like multi-factor authentication and access control,” says Khazenie. “At the same time, we didn’t want to create friction for people interacting with our tools and platforms on a daily basis. Okta would help us accomplish both of those goals at the same time.”
There are a lot of employee tools and applications to protect. USA TODAY Network is a heavy Microsoft shop using Office 365, OneDrive and SharePoint. They also rely on a HRIS system, plus financial tools that help with revenue management, billing, accounts receivable, and accounts payable.
To secure all this sensitive data, USA TODAY Network selected the Okta Identity Cloud, including Single Sign-On (SSO), Universal Directory, Adaptive Multi-Factor Authentication (MFA), Lifecycle Management, and API Access Management.
The company set out to deploy these products to its workforce, establishing a flexible identity layer on top of its legacy solutions, and extending that protection to more than 350 new cloud-based apps.
Okta Single Sign-On was placed as the front door of the company’s applications, which not only helped streamlined the work of USA TODAY Network’s time-strapped editors, reporters, and other staff, but reduced the chance of a rogue, written-down password going astray.
The company used Lifecycle Management to tidy up loose ends in a similar way—now, new staff members have near-immediate access to the apps they need to do their jobs, which limits employee frustration and increases productivity. Meanwhile credentials are immediately revoked when an employee or reporter leaves USA TODAY Network, which ensures no one outside the company has access to sensitive employee, customer, or proprietary data.
Security that fits
Of course, no matter how strong a company’s security posture is, there are always vulnerabilities. That’s why it’s so important for USA TODAY Network to build a security strategy with Zero Trust at its core, instead of relying solely on traditional perimeter-based security solutions. “We’ve come from a tradition of large, state-of-the-art data centers,” says Khazenie. “But now we’re moving more and more of our workloads to the cloud, so we work within a hybrid environment—and that begins to break down the traditional security perimeter.”
While the perimeter does protect hundreds of physical USA TODAY Network offices all over the country, reporters and editors are often on the road—and outside of that protected network. Adaptive MFA has been a key part of its new security strategy; the company now requires 100% MFA for its workforce. Combined with Universal Directory, which allows the company to sort its users into groups, Adaptive MFA will allow USA TODAY Network to write policies that will automatically dictate which users have access to which apps.
Deploying Adaptive MFA also helped the company achieve another goal; it was able to establish a secure environment that could accommodate partnerships and acquisitions without the use of a traditional VPN. Instead, the company’s policies could be used to reduce the attack surface by focusing on users and their devices at a more granular level. “Zero Trust is something we've been working on,” says Snyder. “The platforms we use need to allow us to move in that direction. Okta is moving right in step with us.”
The company has also made a number of other changes to strengthen its security posture while reducing friction. “We eliminate local and shared accounts,” says Khazenie. “We also require additional factors in certain access scenarios. Basically, we bring the account into Okta, write good policies, and enforce good rules. We also collaborate early and often when we’re going down the path of writing policies—there are a number of people from our identity management team and one from our security team. These are separate teams, but they have a common goal.
For USA TODAY Network, it was important to find a way to monitor access, detect breaches, and react quickly, so it established a two-pronged approach that included event- and state-based monitoring. By collecting metrics, the company gains a better understanding of what a normal environment looks like, and how a change will affect it.
“When it comes to identity, our general strategy is to maximize the use of Okta. Okta is a very good product with Zero Trust methodology, and it regards identity as the new frontier,” says Snyder. “This approach puts us in a strong position for reacting to bad policies when we find them, or bad actors when we detect them, so that we can fix the issue.”
Going custom
Sumo Logic played a major role in USA TODAY Network’s Zero Trust strategy as well. In addition to using the Sumo Logic platform for log aggregation, USA TODAY Network built custom dashboards that centralize logs and data feeds across its entire environment, in order to gain valuable security insights to make better security policies and know the impact these policies will have on users.
Okta API Access Management, which is designed to secure APIs, allows USA TODAY Network to give service accounts their own API tokens, enhancing security but also ensuring that if an administrator loses a token, the other accounts can still be accessed. That means problems can be addressed without affecting customers or reporters.
“If anything happens to this account, the service fails for a while and its API token gets revoked,” says Snyder. “But we don't lose our Sumo Logic because that's a separate service account with a separate API token, and its own server.”
With the Okta Identity Cloud and Sumo Logic acting together, USA TODAY Network is well-positioned to react to suspicious activity, whether that means enforcing step-up authentication, ending sessions, or forcing new credentials. Plus, it was quick to set up. “It took about an hour to integrate Sumo Logic with Okta,” says Snyder. “Okta integrates with everything, so it's very quick to move the Okta logs from one product to another.”
Sharing the love
Next, USA TODAY Network decided to leverage Okta to make it easier—and more secure—for reporters to access social media accounts, and then upload and share news content.
“We have a proprietary system for content management, and that's how our reporters in the field upload and manage content they’ve gathered,” says Snyder. “That system is secured via MFA through Okta. We’ve put various tools in place, like Hootsuite and Proofpoint, and Okta MFA to protect the content that goes out on social feeds.”
This is incredibly important, because when news accounts get hijacked, they not only lose public trust—they also lose investors. By putting Okta in place, along with other cloud-based partners like Sumo Logic, USA TODAY Network can trust that it’s in the best possible position to prevent these sorts of compromises—and reporters and customers enjoy a more seamless experience than ever before.
“We’ve raised our game in terms of cybersecurity and securing our environments, while providing a frictionless and convenient user interface,” says Khazenie. “Meanwhile, the integrations have allowed us to access a vast portfolio of products and platforms—it’s the integrations that have allowed us to put as much infrastructure behind us as we have.”
The next page
As technology and customer demands continue to evolve, USA TODAY Network will continue to adapt—and Okta will continue to be a part of that journey.
“We are extremely protective of trust,” says Khazenie. “Over the past two years, we’ve developed a growing relationship with Okta and as you can expect in the early days, there was hesitation—we were trying something new, and it takes a little bit of time to build trust—but I think we’re in a very good place today. We have had a very, very successful set of implementations with Okta, and the company has proven to be a very reliable partner for us.”
The company is already considering how it could leverage other Okta’s other solutions, especially Advanced Server Access. “We have hundreds of developers around the company managing thousands of servers in a hybrid environment,” says Khazenie. Advanced Server Access could help us manage those keys and tokens and shared accounts, and make it all a lot more secure.”
USA TODAY Network is also considering bringing the concept of identity-based access control to its advertising customers. “We're trying to build a self-service platform with self-service tools,” says Khazenie. “We want customers to be able to securely access and track their campaigns, and that's where the concept of identity and access management is going to get outside the perimeter of the employee base. We're going from 15,000 employees to now tens of thousands of customers externally. That's the next level of growth.”
About
USA TODAY Network reflects the stories that are important to the nation’s people, and hosts conversation across the United States. With honest reporting and unique visual storytelling that has united readers across the nation since 1982, USA TODAY Network delivers engaging breaking news, sports, money, life, technology, and travel content 24 hours a day, 7 days a week.