Going from a Fragmented Identity to a Global Unified Shared Services Model

Atul Bahl: Hello everyone. My name is Atul Bahl and I am Vice President of Cloud Infrastructure at Verisk Analytics.

Philip Galea: Hi guys. And I'm Philip Galea, Director of Engineering at Wood Mackenzie. Today we're going to do a quick presentation on the fragmented customer identity moving to a unified shared service model. We are going to talk a little bit about how our teams have collaborated on numerous technology projects and initiatives, working with Atul, sitting at the corporate center, and myself leading the technology team at one of the Verisk family of companies with Mackenzie and specifically looking at customer identity being one of our initiatives. So Atul will take you through the agenda.

Atul Bahl: Thanks, Philip. So quickly let's go through the agenda, what we'll be talking about today. We'll start off with an introduction into Verisk, as well as with Mackenzie, one of our member companies. We'll then dive into the history of Okta at Verisk, which began several years ago as a workforce use case and has evolved recently into the customer identity use case. We'll dive deeper into the architecture of Okta and specifically how Wood Mackenzie's leveraging a platform, as well as how we are managing it centrally.

Atul Bahl: And then we'll talk a bit more about our successes, challenges, lessons learned, and we'll wrap it up with an outlook over the next 12 months, followed with some Q&A. So, Verisk Analytics, we are a data analytics provider and we service three industry verticals. Insurance, energy and financial services. In short, we help our customers make better decisions using our analytics and insights. We've been doing this for nearly 50 years now and we have presence in 30 countries across the globe.

Atul Bahl: Now, what's really relevant for the conversation today is that Verisk is a family of operating companies, what we like to call member companies, with Mackenzie being one of them. We grow very aggressively through acquisition and, as a result, we have a fair amount of autonomy at the member company layer and more of a decentralized corporate hierarchy. So, as a result, there's a certain nuance between what's driven by the center and what's handled at the member company level.

Atul Bahl: And this is true across all business functions but certainly it applies to technology and customer identity, which is what we're talking about today. Also important to note is that we are in the midst of our own cloud journey across the enterprise. What that means for Verisk is that we're on a mission to migrate all workloads from on-premises data centers to the cloud, whether that's infrastructure as a service, platform as a service, software as a service, a mix of all of the above.

Atul Bahl: And most certainly we have a cloud-first mindset for all new initiates. Specifically, what that means for the identity use case is that we see it as an opportunity not only to leverage the benefits of the cloud, but also as an opportunity to rethink the way we have done things in the past and to really present ourselves in a more unified way across the enterprise. I'll hand it back to Philip now who will talk a little bit more about Wood Mackenzie.

Philip Galea: Thanks, Atul. So a little bit of history about Wood Mackenzie. Wood Mackenzie's heritage and reputation was really formed round about North Sea oil and gas in the 1970s. As the organization has grown over the years, various ownership, funding rounds, our breadth and depth of coverage have grown, as well. We now cover interconnected industries of metals, mining, chemicals, power, renewables, and commodities globally.

Philip Galea: In 2015, Wood Mackenzie was acquired by Verisk and we became part of the Verisk family of companies, or member companies as Atul referred to them as. This, I think, combined organization has certainly made Wood Mackenzie stronger. It's made us able to really accelerate on our ambitions and to grow in our markets.

Philip Galea: Most of our business is really through our online tools, our fiscal models, our web applications, our APIs. We're very, very web orientated. In late 2018, we launched what we call Wood Mackenzie Lens. It's our new cloud-based analytical platform. And that was quickly followed by Lens Direct in early 2019. And that is really to provide our customers with direct access to our data and ultimately transform our business to be better positioned for the faster pace of the digital age.

Philip Galea: And I think the key thing of all of this is really through the combined efforts. We've really worked hard with the center and we've worked really hard to drive that successful adoption of Okta for both our workforce and, as you'll see in our next slides, through the customer offerings. I will hand off back to Atul for the next piece.

Atul Bahl: Great. So I'm going to assume that most, if not all, customers of Okta began with a very similar story and it was the workforce use case. That's certainly the case here at Verisk. We enabled SSO to a few SaaS platforms early on. In our case, it was back around 2015. ServiceNow being the first, followed soon after by Office 365. But over the years, this has grown to a library of well over 500 applications across our cloud footprint.

Atul Bahl: And, more importantly, it's evolved from what used to be considered an optional feature, a nice-to-have, into a defacto mandate for any type of corporate access into our growing cloud ecosystem. We certainly see it as an enabler for secure cloud adoption. You can't really imagine how any of this would work without that layer in between. It's also been an enabler for securely managing our cloud footprint as we manage largely in AWS and other cloud providers, as well.

Atul Bahl: So we securely access our infrastructure that we're building in the cloud, as well as securely accessing the applications that we consume via SaaS. Also very important to us, we found it to be a very unifying platform. As I mentioned earlier, we are a family of companies, we grow aggressively through acquisition, so Okta is certainly an enabler for the M&A IT integrations and it's a way to unify all of the various identities that exist across a wide range of directories internally, unifying that and then presenting ourselves as one Verisk identity out to the world.

Atul Bahl: So, as we thought through this a bit more, we started to wonder, can we use the same platform to solve a similar challenge on the customer identity side? Where, again, we have applications scattered about, directories and users dispersed, not very unified. And, at the same time, we do have a fair amount of overlapping customers. So, from their perspectives, they may think of us as dozens of different applications and URLs to remember when, in fact, we really are one company.

Atul Bahl: So how can we make that a bit better, not only for the customer but for ourselves? So we think through this a bit more, what really drove us down this journey. Certainly there were technical drivers and those are pretty much the same drivers that lead us towards any type of cloud adoption, and that is consuming a platform rather than building infrastructure, managing that infrastructure, keeping up with the latest features that are expected of us in this rapidly evolving space of identity.

Atul Bahl: Why would we want to build and manage that where we can instead consume it? And, when you think further about our cloud journey, being in a hybrid cloud state and a multi-cloud state, stripping away that identity layer, certainly made a lot of sense. So, for technical reasons, going down this path made sense for us and it was very apparent to us. But I wanted to focus a little bit here on some of the business drivers.

Atul Bahl: What Okta gives us here is the ability to span across business units, so to break down some of those silos that I alluded to earlier. It would help us unify the customer experience and the user experience, whereas right now it's very inconsistent, depending on which entry point you have into our world. And to present more of a unified Verisk-wide experience for our customers. That, in turn, improves our ability for customer analytics with all the rich metadata and data that we gather from our customer logins and authentications. Whereas right now that would have to be stitched together from many, many different repositories.

Atul Bahl: Then, finally, it certainly strengthens our security posture which, in turn, improves our product as we take it to market. So, using modern authentication methods, multi-factor authentication, federation. It only enhances the product. It protects the very sensitive data that we host and overall improves the product as we offer it to the marketplace. Now, how we did this wasn't via some top-down mandate. That doesn't really work very well at Verisk due to the nature of how we're structured.

Atul Bahl: So the approach we took was more of a community model. We call it a Community of Interest. Early on, like-minded individuals got together and we just started talking. We started meeting regularly, sharing ideas, potential challenges, potential solutions to challenges, eventually sharing code snippets, etc. And organically it started to take shape and become something more concrete. And what that allowed us to do was to solve business-specific problems, but with an enterprise-wide mindset.

Atul Bahl: And what that also allowed us to do was to create repeatable patterns and blueprints so that subsequent app teams who wanted to tap into the platforms can really hit the ground running. And one of the charter members of this community were our friends at Wood Mackenzie, specifically Philip. He took a lot of interest in this early on and helped drive it forward. So I'll hand it back to him and he can talk us through their specific cloud journey with Okta.

Philip Galea: Okay. Thanks, Atul. So, to describe Wood Mackenzie's journey, we need to wind the clock back a little to 2017. We had a small team. We were given an opportunity to reshape our digital estate. At that time, that estate consisted of 118 products across 22 subsystems. Our existing CIAM, that was intertwined with an extensive, cumbersome portal. Everything was brittle, everything was fragile. It was a real hellhole.

Philip Galea: The business goal of this project was really to create a new public-facing experience that supported various teams in terms of content, as well as to iterate on our initial e-commerce offering. Our technical goal, however, was really to externalize the CIAM and effectively treat every system as an equal, driving towards a reusable CIAM model.

Philip Galea: In terms of what we actually managed to deliver at the end of 2017, it was far greater than what we possibly imagined initially. We managed to isolate all user registration, activation, sign-in, and password reset flows into one single system. We established a core set of APIs fundamentally supporting an entire ecosystem. We integrated our Okta integration with respect to the back-office functions, so that workforce tenant that Atul alluded to.

Philip Galea: We did a deep integration with that and integrated that with our own employee life cycle system. We also, more importantly, established a set of patterns leveraging Okta for the integration to all back-office systems, SaaS offerings, and developer tooling. Fundamentally, this work paved the way for the CIAM approach that was to follow later on, but it took a further eight months to raise that opportunity to re-platform and to move towards Okta for the CIAM.

Philip Galea: 2018. This, I think the keynote here was we wrote the first paper on our ideas about CIAM. We published that internally. A few people were interested in what we had to say, our thinking, our position. A key part of our hypothesis was very much our own journey in terms of driving and adopting cloud. Our key hypothesis was centered on the premise that as more and more customers adopt the cloud-based services, in conjunction with the evolution of privacy legislation, we would actually see a greater need for identity platforms and the ecosystem maturing and becoming much more prevalent as our customers matured.

Philip Galea: Towards the middle of 2018, as Atul mentioned, we kind of all banded together. We started to talk more and more about our ideas, collaboration, and we formed our Verisk CIAM Community of Interest, essentially bringing business units together who would otherwise remain in their silos and continue to focus on their own business needs. This opportunity came about and really helped us to harness all these different needs from the different aspects of the different businesses, and really bring them together and round out a neat set of solutions centered around how to drive the concept of using Okta for the CIAM.

Philip Galea: At that stage, in 2019, Wood Mackenzie leveraged the Okta Professional Services in the United Kingdom. We held a three-day workshop. Effectively, it was deemed to be an extended hackathon-style approach where it was very open, very much designed for engineers to ask lots of questions about the platform, to get hands-on experience with the platform, and to build out small prototypes and POCs with the platform.

Philip Galea: Again, in 2019, we had the opportunity to go to OptivCon 2019 and we got a couple of the lead engineers to really cement their experience with Okta on a few of the courses and really take the concepts that we'd built out earlier in the year and really bring them to fruition. And later that year we signed up with Okta. We instantiated our Okta tenants to support software development life cycles and, towards the end of that year, we had some product releases that moved out.

Philip Galea: And then, back to Wood Mackenzie, so we are on the cusp of going live with Okta for our CIAM. We have migrated and integrated in the region of 120 products across 22 subsystems. We're just doing the final touches to those and we're ready to move our user base across to the new platform in a few weeks.

Philip Galea: So what was really the key driver for us? Why did we want to do all of that work? The short answer, it's very clear. We want to drive adoption to modern authentication and modern authorization protocols. Standards like OpenID Connect. Standards round about federated identity, etc. So that was one key aspect, and really allowing the engineering teams to be efficient with those technologies and drive a very standard approach through the ecosystem.

Philip Galea: In terms of driving the business maturity, as well, I think that was a key aspect and a key concern that we had that we wanted to leverage everything that was great about the Okta platform in terms of user management, in terms of being able to set up trust relationships with our customers, in terms of federation, and then also giving something back to our customers in terms of giving them some control round about what fields they were willing to share with us and allowing them to control. So that was a key aspect for us that we wanted to really bring to the business.

Philip Galea: In terms of the capabilities that we've used in Okta, I think it's safe to say we've probably used most of the capabilities that were available to us and certainly, as the Okta platform has matured, we have been pretty early adopters of certain things. Things have worked out really well in some cases and I think some things we just need a little bit more maturity on the Okta platform, but overall we've been very satisfied.

Philip Galea: In terms of how we've used these different components, we've heavily used the Okta SDK and services. Really, one of our goals, again, that service-orientated architecture, we've really wanted to encapsulate all our specific business logic. All that logic that's related to our users, the life cycle, our subscriptions, and our life cycle of those subscriptions, we have encapsulated into a set of services which orchestrate Okta through the SDKs and the APIs.

Philip Galea: More recently, we've made some use of Okta automations and certainly used Okta Hooks. Those two features were introduced in Oktane 2019. Fantastic features. Again, more recently, we've leveraged some Okta LDAP Interface capability round about commercial off-the-shelf solutions. So, without going into too much detail there, we found it to be a really handy capability for a drop and replacement where normally one would have, say, an LDAP. We've certainly found there's been a low latency, not many issues around about, then, round about trace. Just a few issues round about the rate limiting on that particular one.

Philip Galea: The other piece, API Access Management. Again, we have driven strong adoption round about OpenID Connect. We think that's a fantastic standard to align on and it gives a fairly strong direction for our API teams to build out using both coarse-grained and fine-grained scopes to restrict through APIs. And, last but not least, we've made full use of the Okta Sign-In Widget, both hosted as well as self-hosted versions of that sign-in widget.

Philip Galea: As you can see from the screenshot here, we've opted to host the sign-in experience ourselves but we're making full use of the hosted sign-in widget hosted on Okta. It just works straight out of the box and is very configurable inline and it lets us do a lot of great things that really keeps it on brand. And now I'll hand it back to Atul, just to talk a little bit about the actual architecture of the Okta tenant and how we've decomposed this.

Atul Bahl: Great. Thanks, Philip. Great stuff. I did want to take a step back here and talk about our overall architecture, because we want to be able to support all the great work Wood Mackenzie's doing but, at the same time, coexist with all the other application teams and the business lines that want to do similar and play nice together, so to speak, on the shared platform. So that really was one of the first key decisions we had to make is do we want to do this in a shared tenancy or do we want to go with what's been referred to as the hub-and-spoke model where we have a central tenant hosting the applications, we have spoke tenants hosting various customers aligned to business units.

Atul Bahl: There are some pros and cons to either approach. The hub and spoke presented the opportunity for more isolation from a security standpoint, and more customization capabilities from a branding standpoint, which is a bit of a pain point right now. We'll get to that in a moment. But, on the other hand it did introduce the potential for lots and lots of management overhead. When you think about all the business units that we would need to support, and different environments on their software development life cycles that we would need to support, it really started to add up in terms of how that would look. It almost felt like we would be bringing to the cloud the same problems that we had inherited on premises, which was several different repositories of users somehow stitched together to make it work.

Atul Bahl: So for now we're marching forward with the shared tenancy. We're also very confident and hopeful that some of the feature requests and the product roadmaps will come into fruition over the next months, which will help get us past some of these technical hurdles that we are facing with the shared tenancy model. But overall we do think that's the right way to go.

Atul Bahl: We do support three types of user provisioning at the moment. Inbound federation, which is highly preferred because it does remove the headache of user management and sort of offloads it to the customers. And also is something that customers tend to want more and more. We also support delegated authentication off of active directory domains. Here the use case is either a transition effort as we move towards more modern authentication means, or in some cases it is more of a long-term solution due to the nature of the underlying application.

Atul Bahl: And we also of course support Okta mastered users, where the users are provisioned and the whole life cycle happens within Okta itself. What you see over on the upper left there in that Okta cloud, that refers to our workforce tenant. Sometimes I refer to that as customer number one. We inbound federate using Okta org-to-org into our customer tenant so that any one of our employees who need to consume our customer-facing apps, which there are a lot of, they do that via that federation.

Atul Bahl: Over on the bottom I highlight some of the administrative and programmatic interfaces. So select members of the business application teams are given role-based access to the tenant and these are scoped down to typically group admin rights to particular groups and application admin rights to particular applications. We are limited somewhat by the current state of role-based access within Okta. That is a bit of a pain point. We'll touch upon that later but for now it does the job.

Atul Bahl: And also for programmatic access largely around provisioning actions, we grant API tokens for that to function and these tokens are also scoped down to what they need to do. We'll soon be moving over to OAuth for Okta, which is an EA right now, but it looks very promising, to allow us to be even more granular with the programmatic access there. We also ship all of the system logs over to a Splunk Cloud, which gives us the ability to retain this information for longer periods of time, do further analysis, reporting, and visualization but also it's a nice central repository for all logs, since we send application logs, infrastructure logs, logs from AWS where a lot of these things are being built. All are being aggregated in that one hub, so it gives opportunities for correlation and it just simplifies whether it's troubleshooting, whether it's analysis reporting, in one spot.

Atul Bahl: And, as I alluded to earlier, a lot of these decisions were made by the community. So we collaborate and figure out what this best model is for us. That includes things like, what is the right security model, the permissions model. Naming conventions become very important when you're coexisting in a tenant, so we discussed that and agreed upon that, whether that's for groups, attributes, API components, and so on.

Atul Bahl: Change management is important. So, whether it's an Okta feature that we want to introduce into the environment, whether it's a configuration change. We like to scope that as much as possible to specific groups or specific applications, but there are times where the change is a tenant-wide change or an organization-wide change so we have to be really careful about introducing that into the environment.

Atul Bahl: So, to assist with that, whatever you see here on the screen, you can imagine two additional versions of that. So we have a test acceptance and production version of what you see here. And that allows exactly that, to introduce safely changes into the environment and also to support development and release processes for our development teams.

Atul Bahl: Let's talk a little bit about some of the success stories. We've been at this for a bit over a year now and we've had several successful product go-lives. We are at approximately 200,000 users live and in production right now. And we're on track to hit about 500,000 by year end. So I'm very happy with that progress. We seem to be onboarding new users on a weekly basis and more applications are being added to the pipeline. All that's been largely through organic growth, so we're really happy to see that.

Atul Bahl: The users and applications have been a wide range. We support, as I mentioned earlier, federated users, Okta mastered users, delegated-authentication users. The applications are web-based, SAML, OIDC, mobile apps, and even terminal session-based applications. We have a wide range of customers and apps and we've been able to fit all this into one tenant, which has been great to see.

Atul Bahl: I also wanted to highlight the benefits of our relationship with Okta. So we have premier-level support, which has been great, 24/7 support, a dedicated customer success manager. They're always a phone call away. That's been very helpful to us. Very recently, we signed onto what is called Advisory Services, which fills a bit of a niche that we find ourselves in often, whereas we had questions that weren't quite the types of things you would ask Support, but they didn't quite rise to the level of requiring a Professional Services engagement.

Atul Bahl: With Advisory Services, we have what's essentially a virtual extension to the team, a dedicated engineer, where we can bounce ideas off of, talk through architectural types of questions and get some of that feedback and best practices to help move us forward. So that's been a really great win for us. As Philip alluded to, we have used Professional Services on occasion to get some more specific and narrowly scoped projects moving forward. We've taken advantage of developer workshops and developer evangelist events, which has been great to further the cause internally and get developers and the whole community excited about where this is all headed.

Atul Bahl: And, lastly, I think the developed website that Okta puts out has been great. It's an excellent resource for documentation, API references, code snippets, a really great way to quickly get up and running, spinning up your own developer sandbox, very little friction, to spin up these environments and to get going right away. So all these things combined have, I think, really helped move this forward and move this forward faster than we probably would have otherwise.

Atul Bahl: I also wanted to tout the benefit of our community model. We have a lot of smart people across the enterprise and the approach we took there, I think, was really effective in harnessing that collective brain power and moving this forward almost at a grass-roots level, which wound up being a lot more effective, I think, than if this was a couple of folks sitting at the top and sort of mandating it top-down. I think that probably would have gotten us nowhere.

Atul Bahl: So I think that, in combination with the benefits of the Okta partnership and the features of the platform itself really helped move this forward and I'm really happy with how it's progressed so far. But, of course, it's not without its challenges so I'm going to highlight a few here from my vantage point, sitting here at the center. And a lot of this has to do with finding that right operating model, due to the federated nature of our company. What should be mandatory, what should be optional, what should be driven by the center, what should be self-serviced by the member companies?

Atul Bahl: It's still a work in progress and we're somewhat used to that. That's how we have to operate in the cloud in general. We have to be more agile, we have to be more iterative. But something that I'm always mindful of is being careful not to make a certain architectural or configuration decision that would then be very hard to undo or maybe even impossible to undo. So we have to be very careful, especially in a shared environment, not to be too aggressive in certain types of decisions.

Atul Bahl: But we're figuring things out as we go. A lot of these community-driven decisions follow along the same lines. Like at what point does something become, "Hey, this is how we're going to do things," versus, "It's okay for one team to do it slightly different than another." In fact, we had a pretty good conversation on this topic yesterday around attributes and profile masters and it goes back to what I said earlier, being careful not to make a decision that's then hard to undo later on.

Atul Bahl: Then the last point I want to mention here is we've been pretty happy with the organic growth. It's taken off. It's getting out there. But if you go back to what I mentioned earlier about our workforce use case, that started out as optional and a nice-to-have and then, over the years, became a de facto mandate, a gold standard. How can we do the same with customer identity? What does it take to get there? And I think for that we will have to get past some of the technical hurdles that we're facing and, for that, to dive deeper, I'm going to hand it back to Philip who can talk a bit more about that.

Philip Galea: Yeah, thanks, Atul. So, yeah, I just wanted to really emphasize the view from my perspective. The workforce tenant for us has been absolutely instrumental. It works really well. Using Atul and his great team at the center, in terms of anticipating all kinds of back office application developer tools et cetera. So we're very, very happy with that. Certainly from the CIAM perspective, I think we're still seeing the platform mature in that space. Certainly being able to leverage a lot of the capability of the boxes is fantastic, however, what we're having to compromise on a little bit round about certain customizations to do with branding.

Philip Galea: In particular round about certain flows, where we've actually had to maybe do things or sales where maybe we could have leveraged the out-of-the-box capability had it been hub and spoke versus single tenant. But these are all capabilities which I think, if we work closely with Okta to mature, we'll get there with those capabilities.

Philip Galea: Another aspect that's been slightly frustrating, the platform has been moving at a fantastic pace. Looking at all the capabilities that got introduced in Oktane 2019, the platform hasn't stood still. It's been continuing to mature. Some gaps have crept in. We've found that the SDKs haven't perhaps matured as quickly as we would have loved to see them. Authorization code for PKCE, for example, just one scenario where that took quite a while to appear.

Philip Galea: But generally that platform lives and dies by how good the developer experience is. In terms of using the CIAM for adoption, taking that community view to drive decisions, I think that's worked really well, but I really want to emphasize, having that expertise of Advisory Services really just to kind of use it almost as a bumper rail to say, "That actually does make sense," or, "That doesn't make much sense. Have you tried this?" I think that's been really valuable, having that point of contact, to kind of see through some of the decision-making process and helping us get some alignment.

Philip Galea: I think one challenge, which is more of an internal challenge for Verisk as a whole, and Wood Mackenzie being part of that whole family of companies, is really the organic growth and adoption of Okta is really down to the individual’s collaborative nature and I think so far we've been very, very fortunate that we've had like-minded people coming together and really coming and open minded, willing to contribute to the ecosystem. But I think sometimes, as well, it can be quite difficult to try and get that alignment around about that kind of one Verisk approach without that mandate. But that's something that myself and Atul and our other colleagues around Verisk, will help us figure out in due course and make it happen.

Philip Galea: So, getting into very specific technical challenges that we saw. From an administrative control perspective, we're starting to see this coming through with OAuth for Okta. Certainly it's coming, we can see it's coming, we can see the direction of travel. That's great. A huge pain point for us, API rate limiting, particularly round about the LDAP interface where we have these commercial off-the-shelf products that work nicely with the typical LDAP, like an AD or another implementation of LDAP.

Philip Galea: Having the rate limiting on that interface sometimes does surprise those platforms in an adverse way. That's something, I think, we just kind of need to work with Okta on that one and maybe see if it makes sense for having rate limiting on that particular interface or having some sort of control and throttling round about that to isolate specific cases where that one problem doesn't take out the whole platform.

Philip Galea: Okta invisible, I think it's safe to say that, whilst we really love Okta, as a platform, we kind of don't really want our customers to worry too much that it's Okta or it's not. For us round about customization and round about the flows, the branding, that definitely can be improved. And, last but not least, I think, for us, the documentation. There's some really wonderful blog posts out there that pop up and we look at those religiously. I think a key aspect, though, is round about the documentation of the SDKs.

Philip Galea: Again, we feel that we've had to figure out a lot of things sometimes on our own through trial and error and that sometimes can be frustrating for the engineering team. That said, like anything, once you've done it once or twice, it's like riding a bike, you just get on with it and you figure it out. But that, again, is just something you need to really think about when you're going to do a big implementation like we've been doing across multiple different technologies. The documentation sometimes just needs an extra little bit of polish just to really help keep it sharp.

Philip Galea: But generally I would say, despite those technical challenges, there's been a lot of very positive accelerated development with the platform. Where we were six months ago compared to where we are now, even prior to that, we've really come on leaps and bounds. And I think so much so that, as a community, we've actually been collaborating across business units and round about automation of the set-up of Okta.

Philip Galea: An example there being running the whole creation of the authorization servers, the creation of the attributes, et cetera, et cetera. All of that we have now actually scripted. I've actually got an engineer who's actively investigating how we can use tools like Postman Runner, looking at the integration with Jenkins, to actually try and put a little bit of softer architectural wrappers around the very definition and control of Okta to make it a little bit less manual in terms of the setup and a little bit more repeatable through that level of automation. So, I'll hand it back to Atul to talk about what we're going to be doing jointly next.

Atul Bahl: Yeah. So what does our next 12 months look like for us? We're expecting more product go-lives. There are a lot of applications in the pipeline so we're going to march forward with that. We are going to make more aggressive reach within Verisk built upon the success stories that we've built to date. And I'll just help reassure people that this is the right way to go. Tied at the hip with that somewhat is what Philip just talked a little bit about is some of the technical feature requests that we're eagerly awaiting and we're confident that those will come through. That will just make the overall package even better.

Atul Bahl: But largely we're really excited with what we've built to date and we're excited about where we're headed. One particular area of focus for myself would be to really strive for more inbound federation with our customers. Of course this is something that requires partnership with them. They have to be willing and able. We do service customers across the spectrum from small single-person operations to large enterprises, so we have to account for that mix.

Atul Bahl: But federation is something we want to really push for, whether it's a new customer we're onboarding or taking an existing customer who had opted for, let's say, Okta mastered or AD authenticated, and migrate them towards a more modern authentication method, so that is certainly near the top of my list. But, with that, that concludes our presentation. Happy to take questions at this point.