A culture of constant improvement
Slack is only seven years old, but it’s already made an undeniable impact on the business world. From Fortune 500 CEOs to contractors, millions of people rely on Slack to help them work more collaboratively and productively. And that number continues to grow as more people across industries begin working remotely.
The company’s goal of helping people be more productive is also embodied in Slack’s internal business culture. Everyone plays a part—including the company’s IT organization, known as the “BizTech” team, which frequently revisits its Business Technology strategy in order to maintain a convenient, productive, and secure employee experience.
With such frequent reviews, it didn’t take long for BizTech to realize that Slack needed to reduce the number of apps it had amassed as a start-up. It also needed to centralize access (and access control) for the remaining apps.
“Most of the BizTech infrastructure wasn't even managed in the same department,” says Curtis Salinas, Slack’s senior director of strategic planning and operations. “So Slack’s first identity goal was to pull them all together. There were around 450 SaaS apps in use, which is a lot for a company that had fewer than 1000 employees at the time.”
Consolidating its technology stack for better access control and a simplified user experience quickly became a priority for Slack. It took decisive action, streamlining its BizTech landscape by eliminating 100 apps and partnering with Okta for identity. Slack was able to consolidate to 350 apps, and 200 of those are centralized and protected by Okta’s Universal Directory and Single Sign-On.
Reducing complexity and boosting security
When Salinas joined the team a couple of years later, Slack was intensely focused on improving its security posture. The company was considering going public, which would mean adhering to more stringent security guidelines, like SOX, in addition to regulations required by larger organizations and government customers, like FedRAMP. Slack also wanted to move towards a Zero Trust model that would protect the company’s employees, platform, and data without limiting users to working at the office or on specific devices. This has become increasingly important with so many employees shifting to remote work as a result of COVID-19.
The company improved access control by increasing the number of apps behind Okta SSO, and embracing multi-factor authentication. “We don't believe in putting everything behind firewalls and making people use VPNs,” says Salinas. “With Okta, we know who is requesting access, and whether or not they're using a device we can trust.”
Next, Slack began exploring ways to safeguard and automate the provisioning process. This was necessary in order to reduce the possibility of human error, while improving reporting and auditing capabilities to meet SOX and FedRAMP guidelines.
“When you come into the company, everything starts with identity,” says Salinas. “The tools that you're going to use depend on who you are, where you work, what your position is in the company, and who you report to. Obviously, that puts more emphasis on getting things right in Okta.”
Establishing the right processes
Before Slack could fully embrace an identity-first BizTech strategy, Salinas needed to decide on how to restructure Slack’s Business Technology environment, including deciding on a source of truth.
Salinas decided against using Active Directory (AD) early on. “My last AD team had five people on it,” he says. “It required a ton of infrastructure, constant tweaking, upgrades, and change. It's a whole discipline in and of itself. When I got to Slack, it didn’t make any sense because we're heavy Mac users, and wouldn’t benefit from any of AD’s Windows management capabilities.
Instead of spending time and resources on AD maintenance, Salinas decided to focus on reducing complexity by scaling Slack’s Okta usage. “Okta has been ahead of the game in terms of pre-packaged integrations. We use Duo, a third-party MFA, and we love the simplicity of that in an environment like Okta. Okta was born knowing what it’s good at—and that’s making it easy to plug into other solutions. That's just not something you find in the Microsoft stack.”
With the right tools in place, Slack began considering ways to improve its ability to automate its monitoring and provisioning processes.
“We looked at how our processes flowed across the entire company,” says Salinas. “Then we considered how they affect our various business systems. Once we pulled all that together, we had an immense treasure trove of data--and that's been a huge focus for us for the last year. How do we make sure the data is clean? And how do we pull it into one place and make it usable?”
Salinas knew he’d found the answer when he heard about Okta Lifecycle Management’s HR-driven Business Technology provisioning capabilities--plus the automatic provisioning capabilities of Workflows, part of Okta Platform Services that provides a no-code, graphical interface that integrates with a wide range of commonly used apps.
Together, these Platform Services make it easy for the BizTech team to automate a range of administrative tasks, from onboarding and offboarding users to sending reminders to employees and HR staff. “As soon as I heard about it, I immediately thought, ‘It's a logic system,’” says Salinas. “’This is all I need to build these groups. Sounds good to me!’”
More time, less risk
By this time, Slack had become a public company, and was in the middle of preparing for its first SOX audit as a public company. “We were doing some digging on what logs we needed to pull from Okta,” says Salinas. “One was a job that happens between Workday and Okta. We needed to be able to show that access changes were feeding correctly from Workday to Okta."
As a Premier Plus Success customer, Slack was already working closely with Okta’s Customer First team, so when the company decided to adopt Workflows, it already had easy access to a range of Customer Success and Support Services and Education Services, including 24x7 access to Okta’s robust on-demand training catalog through their Premier Learning Pass subscription.
With the help of an experienced Okta Customer Success Manager (CSM) and a quick-thinking support engineer, Slack found the solution they were searching for. “We were able boil it down to specific logic and Okta was able to help us automate the monitoring process with a quick workflow within 48 hours,” says Salinas.
Slack uses SailPoint as a governance tool for SOX audits, supplemented by Workflows automation to ensure a comprehensive solution that meets the needs of the business. In SailPoint, two feeds of Okta users are generated: one feed that highlights employees with SOX-relevant roles, and another feed that lists employees with Okta admin access.
Then, this information is cross-referenced with the information in Workday. If an error is detected, the workflow automatically triggers Jira to send an alert to the appropriate administrator. That administrator would then either remove the user from the incorrect group, or add them, depending on the situation.
Overall, this eliminates a lot of risk. “If we don't properly catch an error and it ends up in a SOX audit, we would have to report it to the US Securities and Exchange Commission,” says Salinas. “That’s a big risk for any company.”
It also saves a lot of time. Originally, the company had an employee who spent half an hour a day checking logs for errors, and Salinas would spend another 10-15 minutes consulting with her.
“It totalled 30 to 45 minutes a day,” says Salinas. “And usually, at least one job failed every day. But now, it’s much less frequent with Workflows. We went through the manual review process once this week, and once two weeks before that. But we only have to do it during maintenance windows now. And we’ve begun to think about ways to add more logic with Platform Services so we don’t have to do manual reviews at all unless there’s an actual failure.”
Even when manual access reviews do have to be done, the process is much simpler, especially now that all Slack’s most commonly used apps have been integrated.
“When people ask for information that’s outside of our day-to-day operations—maybe someone needs to know what access someone had at a particular time, or they want to run a report against which roles have access to which apps—it's all centralized,” says Salinas. “The benefits of that really shows up during audit time, whether it’s now, when we’re doing our SOX audits, or next year, when we’re working on FedRAMP. It's just incredibly easy for us to confidently report that everything is where it should be.”
The company is currently working with Professional Services on a health check project that includes optimizing Workday as a Master and implementing FedRamp.
Streamlined provisioning with Okta Workflows
With Okta Lifecycle Management, Slack also automated the provisioning and deprovisioning process for its most commonly used apps. Now, when a new employee starts at Slack, they’re directed to a specific Slack channel where they interact with a bot. The bot responds by granting access to seven apps that are used company-wide. In total, Slack’s integrated more than 27 apps with Lifecycle Management to streamline employee onboarding.
By seamlessly mapping groups of employees directly to downstream applications, the company is able to meet employees where they are. Being able to request access to new apps from a platform they’re already using (Slack) makes the process simple and convenient for everyone.
“Employees can even be notified of their rejection or acceptance in Slack,” says Salinas. “But behind the scenes, it’s all powered by the Okta Platform Services engine.”
New employees are also able to start working sooner, now that basic tools are automatically provisioned. “Not even that long ago, everything was completely manual, so it's been phenomenal to not have to worry about having a staff member there to click buttons and grant access.”
“Our Customer Success Manager has been tremendous and so has everybody else she's brought to the table,” says Salinas. “When we needed to meet our SOX standards, we went from ‘That’s going to be a big hill to climb,’ to ‘Oh wow, there’s a simple way to get this done.’ Okta just provided it, and we were off to the races.”
Finding new use cases
Moving forward, Slack plans to continue exploring new ways to reduce risk and increase compliance within its existing ecosystem, including using Okta Hooks to run reviews in additional systems.
The company also intends to start digging into more focused use cases--ones that require a more granular approach. “That’s when I think it gets even more interesting, because now the groups are established,” says Salinas. “The cool part is when we start considering different ways to use those groups.”
“To me, that's super exciting, because new employees won’t have to ask for anything—it’ll just be available to them on Day One,” says Salinas. “It’s less work for my team and makes more sense for the employees, because they don't need to hound anyone for access.”
Slack will also start looking at ways to help employees become more self-reliant. “How can we use Okta Workflows to enable employees to manage their own distribution lists and groups without having to actually learn Workflows?” says Salinas. “To me, that’s worth so much.”