Building towards a cookieless future
Expanding on its initial offering, Zeotap branched out into the Customer Data Platform (CDP) space in 2019 with its Customer Intelligence Platform (CIP). As a company that began life in Germany - one of the most heavily regulated data markets in the world - Zeotap knew that its services had to be compliant with the demands of a privacy-first future.
Chief among the changes its CDP anticipates is the so-called ‘death of cookies’, which promises to make third-party cookies a thing of the past from 2023. This raises a challenge for advertisers, marketers, and others who rely on cookies to validate consumer identities in their journeys across the internet. Zeotap’s CDP provides its users with a 360° view of a brand’s customers, enabling them to unify, enhance and activate first-party data, with consent and privacy baked into the platform.
Zeotap has since taken its efforts to build towards a cookieless future a step further. In 2020, it began to develop ID+, a privacy-compliant identity service that addresses ID fragmentation, cookie restrictions, and increasingly stringent regulations across the world. ID+ is now integrated into its CDP and will allow its customers, including many top brands, to continue to run personalised ads, even after 2023.
“When we started Zeotap, privacy-first was the pivotal differentiator for us from other data businesses. With the help of Okta, we are carrying that legacy forward,” Ashwin adds. “One of the biggest challenges that brands are trying to solve is how to remove the barriers between data silos. Data on how a customer accesses a brand lives in multiple locations. Our Customer Intelligence Platform enables companies to bridge that gap, accessing all of their customer data in one place, while maintaining privacy and consent.”
Implementing Okta with Squareball
Zeotap worked with Squareball, one of Okta’s Authorised Service Delivery partners, during its Okta implementation, a process that was remarkably quick given the complexities involved. Kickstarting the project, including selecting Okta and running a POC, took around four months, while the implementation phase took just two.
“Squareball was a great partner,” says Sathishkumar Kuppuswami, Full Stack Architect at Zeotap. “The help that it provided went beyond implementing Okta. Squareball acted as consultants, digesting some of the big challenges we faced and provided invaluable answers to the questions we raised.”
Providing secure access with Single Sign-On
Zeotap wanted its CDP to be a modern SaaS platform. It knew that its existing situation had to change. For its new CDP platform, Zeotap wanted an enterprise-grade identity access management provider, and it turned to Okta to provide secure access for its customers and their users.
Previously, Zeotap used its own authentication systems to provide access via a username and password login system. It had no clean SSO solution in place which is integral to any SAAS platform. Each user might reset each of their credentials once a year, taking up 15 minutes of IT time each and incurring 22,500 hours in staffing time or €686,000 in average help-desk wages. Recognising that user experience is crucial for customer-focused offerings, Zeotap consolidated its apps into one single login with Okta’s Single Sign-On to create a seamless login process. This returns time to users too.
Zeotap now uses SSO to give its customers secure access to its Unify platform. Unity is also integrated with several internal apps, as well as Tableau, which provides analytics services built into the Zeotap GUI for a seamless user experience.
“Security is something that is always evolving, and we need to evolve with it,” says Ashwin. “What used to be ‘good to have’ is now standard practice and a key part of our customers’ gatekeeping efforts. We’re constantly looking to future-proof our products and want to work with partners and products that enable us to remain a step ahead of the curve. For us, that is Okta.” Sathishkumar adds: “Okta’s SDKs fast tracked integrations with our existing apps quite seamlessly.”
Providing seamless experiences with Inbound Federation
Another way Zeotap is providing a more modern experience for its customers through its Okta implementation is through offering Inbound Federation identity management to its customers, a capability that was a key component in Zeotap’s decision to partner with Okta. This enables a user's identity to be linked across multiple separate identity management systems while maintaining security. It gives Zeotap’s customers the freedom to federate into its environment using their own internal identity provider (IDP). Okta manages these connections to other IDPs for Zeotap, sitting between its platform and the IDP that authenticates its customers' users.
Inbound Federation provides Zeotap users with a seamless experience, enabling them to log in with their own credentials while federating into the Zeotap environment.
Prior to using Okta to allow customers to log in with their existing enterprise credentials, 10% of Zeotap’s accounts were locked during the onboarding phase. This caused poor customer experience and tied up the Customer Success Managers (CSM) charged with fixing this problem. Each lockout took potentially 30 minutes of a CSM’s time to resolve, as well as 15 minutes of IT help desk time, representing 1,350 hours of Zeotap’s time or €66,000 in internal resource costs. More importantly, this challenge took up as much as 1,800 hours of customer time spent waiting for a resolution. This created a highly dissatisfying onboarding experience that Zeotap was keen to resolve.
With Okta’s advanced capability, Zeotap can now rapidly scale up its operations, without having to provide additional staff to handle identity. It also means it’s able to attract interest from large enterprises, as well as security sensitive organisations such as banks for whom such security measures are paramount. Large organizations, such as these, want to log in with their existing identity provider and existing credentials, instead of issuing new credentials to each of their users and managing sprawl.
Okta also saves Zeotap hours in manual coding hours for integrations. Integrations may require simple authentication mechanics with an API key or a much more complicated three-legged OAuth flow, which Ashwin estimates take about three to four weeks each. This could be as high as 120 weeks of work over the next 12 months and rising to 200 weeks with expected new customers joining, time that Ashwin feels could be better spent on developing the CIP. This developer-intensive activity, enabled by Okta’s Inbound Federation capabilities, represents as much as €771,000 of fully-loaded developer resource costs, a resource that is hard to come by and hard to retain in today’s employment market. This also means clients get onboarded quickly and efficiently and see a faster time to value themselves with Zeotap’s services.
Aside from building these federations to external IDPs, Okta also automatically provisions users to appropriate apps based on where they’re coming from. This was previously done manually across two business units and took 20 to 30 minutes of IT time per service or app that Zeotap offered to a given customer. With Zeotap’s current client base, Okta has saved 30,000 hours of provisioning a year or €1.3 million of equivalent resource costs. This also means that Zeotap won't have to scale up its internal teams to meet new demand as its customer base grows. This could be worth as much as 20,000 hours or €890,000 in the near future.
Integrating external customers’ Active Directories
A particularly innovative approach that Zeotap has taken with its Okta setup is to allow its customers to integrate their own Active Directory (AD) with the Zeotap CIP. While this use case is fairly common within businesses - onboarding new brands through mergers and acquisitions, for example - allowing external organisations to do so is almost unheard of.
It’s made possible through a novel implementation of Okta’s AD Agent, a 5MB piece of software that allows for bi-directional read, write and sync capabilities across servers, enabling processes such as data transformation and sanitisation. It means Zeotap can pull in a huge amount of customer identity data into its Okta setup to power its services. That could entail, for example, 600 call centre staff from a single new customer needing instant access to the Zeotap CIP.
“If it weren’t for Okta’s AD agent,” Sathishkumar adds, “we would have had to onboard all of them onto a platform and more importantly, offboard all of them as well. With AD Agent, we can set up an ongoing relationship with real-time on and offboarding. It means we can give our customers and channel partners access, without having to control how many people they are providing access to. That’s hugely important to allow them to scale up with us as we grow.”
It is difficult to calculate the true value of pulling so many different companies’ directory data into a single place, with advanced grouping and rules functionality. This unique multi-source capability is a core reason why Zeotap chose Okta. The alternative would have been to consider each client as a separate silo within Zeotap, with a different tenant of an identity provider on top. This would mean each onboarding or integration had to happen manually across Zeotap’s clients, with all administrative work done numerous times across each. This would be similar to trying to establish a persistent federation with a newly acquired external company from a directory and app perspective, an activity which typically takes businesses seven to thirteen months or €1.3-2.5 million to do once. An approach like this would not have been viable for the service Zeotap wanted to offer. Okta solved this.
Looking to the future
Zeotap now hopes to implement an API gateway to automate user authentication and rate-limiting for its enterprise APIs. That will allow Zeotap to offer more headless, or API-first, products. And, as with Inbound Federation, Okta’s pre-built integrations for API gateways mean that Zeotap won’t have to expend valuable time coding the software needed to make this happen.