Okta helps Zoom maintain security posture in face of rapid growth

Grew 10 million to 300 million

daily meeting participants between December 2019 and April 2020

2 days

to deploy tens of thousands of virtual machines

1 day

to implement Advanced Server Access

A scaling opportunity like no other

Zoom, a leading enterprise video communications platform, could never have predicted the immense, rapid growth it would experience in the span of a few months in 2020. But the company rose to the opportunity. To scale quickly while offering seamless service to businesses, schools, and individuals around the world, Zoom moved to a hybrid cloud model, and deployed Okta Advanced Server Access for secure authentication.

“Identity is critical, security is critical, making sure that only the right people have access to the right data is critical. We’re going to continue the program that we've been on with Okta, into the future.”

Harry Moseley,

CIO, Zoom

Explosive growth powered by the pivot to remote work

If it wasn’t already, Zoom is now a household name as a result of the COVID-19 shift to remote work (and virtual birthday parties, graduations, and beyond). Unarguably the leader in modern enterprise video communications, Zoom has become synonymous with virtual meetings, lectures, and events of all sizes, as well as with friends and family keeping in touch with face-to-face video chats.

“Our mission is all about empowering people to do more,” says Zoom CIO Harry Moseley. “And that's not more meetings. It’s empowering people to do more, whether it's bankers helping their clients, professional services helping their clients, or medical practitioners helping their patients. Our vision is about making a virtual experience, as good as—if not better than—the in-person event.”

That’s never been so vital as it has been since the pandemic upended the world. “Zoom has experienced incredible scale in our business this year as companies have shifted to remote work during the pandemic,” says Moseley. “Explosive growth” would be another way to describe the company’s trajectory.

“It’s a testimony to the architecture our founder and CEO Eric Yuan put in place when he built Zoom 10 years ago,” Moseley says.

Facing a massive and unexpected scaling event

That’s not to say it was easy. Facing a scaling event of that size and urgency is intimidating, particularly for the security and operations teams. “We pulled many, many all-nighters in order to stand up the capacity to be able to support the next day,” says Zak Peirce, Zoom’s head of Data Center Operations.

“There were more times than I could count of ‘we have to get all of this up tonight or tomorrow’s going to be a challenge.’ And I remember thinking to myself, ‘Man, I cannot believe that we’re supporting this massive amount of traffic every day in this huge growth pattern.’”

Zoom took a few key steps that allowed them to sustain exponential growth with no major service disruptions, including launching a hybrid cloud strategy. “We took a platform that was running in our data centers almost exclusively, to the public cloud,” he says. “The public cloud really gave us the ability to have that elasticity. No matter who you are, no matter how well you've planned, you can’t plan for 30x growth—unless you’re in the public cloud.”

As Zoom underwent this significant modernization, Peirce worked to support security and compliance at every step. “One of the things I always said is that my team was the judge, the jury, and the executioner on all credentials,” says Peirce. Being in charge of authentication put the responsibility and risk for compliance on Peirce’s team.

“We had a lot of controls around our authentication infrastructure for the back end,” Peirce reflects. “But when we grew at such a quick pace, we outgrew the tools that we were using previously. We had moved to a more traditional local account configuration. And as we looked at that and said, ‘This doesn't fit with our ability to scale. This doesn't fit with our ability to add more people into my teams,’ we decided that our traditional methods were not the correct path anymore.”

Zoom needed a better solution. Its legacy identity management environment was not equipped to scale easily with the public cloud or to the hundreds of thousands of systems in use. It was time for Zoom to find a new way to secure server access—to take the pressure off Peirce’s team and provide a seamless user experience to the millions of customers who rely on Zoom for work, education, and personal use.

Successful workforce implementation

The company didn’t have to look far for the answer. Zoom needed an identity solution that was cloud-based, scalable, and could meet their security standards—and it already had one on board. Zoom had successfully adopted a suite of Okta’s enterprise identity management solutions for its employees in 2019, including Single Sign-On, Multi-Factor Authentication, and Lifecycle Management.

“When you are thousands of people spread across all geographies and people are moving and joining the firm, you really need a sophisticated solution,” says Moseley. “And you think about the different devices we've got and the different operating systems we've got. There's lots of choices out there, but—there's a phrase they say about Zoom: it just works. Okta, it just works. It's fantastic.”

“When evaluating identity solutions, Okta’s reliability, security, and user-friendliness stood out to us,” Moseley says.

By adopting Okta Workforce Identity solutions, Zoom enabled seamless, secure access to over 100 applications, including Google Workspace, VMWare, Workday, and ServiceNow for 3,500+ employees and contractors globally. That experience gave Zoom the confidence to expand their Okta use.

“We were using Okta for identity and access management for our employees,” says Moseley. “It was just a natural progression to pull Okta into our server infrastructure.”

“We went from hundreds to thousands of servers in the early days, and now to tens of thousands of servers running in 19 locations around the world,” he continues. “And that means more engineers and more DevOps, resources, et cetera. Managing all of that is extraordinarily complex. It started with manually setting up some rules, but replication of those rules only got us so far.” It was time for a more robust and flexible access management solution.

Quick implementation without service interruption

In early 2020, just as the business was scaling rapidly, Zoom purchased Okta’s Advanced Server Access (ASA) as a critical component of their cloud architecture. ASA would provide added security, seamless user access, and simplified privileged management at scale to Zoom’s production and staging servers.

“We initially selected Advanced Server Access to help us scale authentication infrastructure without impacting deployments,” says Moseley. “Our team deployed ASA in just a few weeks to thousands of servers across two different platforms.”

Peirce adds that the initial implementation was remarkably quick once the plans were in place. “We spent about a month figuring out how can I deploy this? How can I not break anything? How can I make sure that I get all of my users in here?” he says. “Authentication is such a critical piece to the environment, you really can't cause a breaking change.”

Peirce compares the ASA deployment to the deployment of Zoom’s previous LDAP environment—ASA was implemented into a “massively larger” environment, but it was actually up and running in less than a day. “A full deployment, that includes the RPM installed on all the environments, users created, the ability to log in—I mean that's such a quick deployment without causing any interruption,” he says. “It also allowed people to log in with the old system and the new system, side by side.”

Okta integrated seamlessly with Zoom’s existing Ansible framework, enabling the automation required to scale quickly. “We were working hard to make sure everything stayed up, everything worked,” says Peirce. “The fact that we were able to put ASA in during that crazy growth mode speaks volumes to the fact that we were able to automate.”

Beyond traditional access management

After the success of that initial deployment, Zoom expanded its investment in Okta Advanced Server Access (ASA) significantly later in 2020. The company is also exploring Okta Workflows and other automations through the Okta platform, which has unlocked a number of additional use cases. For example, if a user is locked out of Okta, an automated notification is sent to system administrators to help address the issue.

“This has allowed us to go beyond the scope of traditional access management and makes us confident that we have the tools and platform in place to meet our evolving needs,” says Moseley. “Workflows has also enabled us to automate our admins’ tasks. For example, every new admin onboarded at Zoom is now automatically assigned to the correct roles, which can include up to 450 separate group admin roles.”

Simplicity and visibility

Peirce and his team noticed the benefits of Okta ASA immediately. “Our security team wanted to have more visibility into who was doing what within the environment. Okta provided us the ability to do that, without having to make massive amounts of changes to our infrastructure.”

“Now when the security teams or the compliance teams come to me and say, ‘We need to know what servers people have access to and how they can access them,’ I can say, ‘All of our servers are configured through Okta ASA. Here's the list and here’s how we do our groups,’ and that's done,” Peirce says. “Okta has substantially simplified my life from a compliance standpoint.”

“Also, the number of things I have to worry about for SSH keys is zero. A new person comes on, I no longer have to run an Ansible job to put it on a number of servers, or go into our old LDAP and add the key. All of that is just gone, and Okta deals with all of it, with very little change. Makes my life much easier.”

For that, Peirce credits a strong collaborative relationship with Okta. “All of the hard work that we've put in and the Okta team has put in has really paid off,” he says. “We have pushed the Okta team, and Okta has delivered. Okta has really helped us continue to grow and keep our security posture where we felt comfortable, and where we really wanted to be on our growth path.”

A partnership for the future

Moseley echoes the sentiment. “The Okta platform has given us the tools we need to continue to grow our business and meet our evolving needs,” he says. Not only that, but the reliability of Okta enabled the Zoom IT team to eventually stabilize and then reduce their workload, so they could turn their attention to more strategic aspects of their jobs.

“We know we can rely on Okta to meet the massive scale requirements that our growing business needs,” says Moseley.

Looking ahead, Zoom plans to enhance endpoint security without creating barriers for employees. Zoom is exploring the opportunities offered by Okta Identity Engine, including leveraging Okta Device Trust and FastPass to provide streamlined, secure access to employees, wherever they log in from.

“Identity is critical, security is critical, making sure that only the right people have access to the right data is critical,” Moseley continues. “We’re going to continue the program that we've been on with Okta, into the future.”

About Zoom

Zoom is for you. We help you express ideas, connect to others, and build toward a future limited only by your imagination. Our frictionless communications platform is the only one that started with video as its foundation, and we have set the standard for innovation ever since. That is why we are an intuitive, scalable, and secure choice for large enterprises, small businesses, and individuals alike. Founded in 2011, Zoom is publicly traded (NASDAQ:ZM) and headquartered in San Jose, California. Visit zoom.com and follow @zoom.

Continue your Identity journey

Get hands on with the free trial today, or get in touch with our team to discuss your unique needs.