Oktane19: How Okta Lifecycle Management Can Help with Audit + Compliance

Transcript

Details

Chris Niggel: I mean this is a big crowd for a compliance talk so, thank you all so much for coming. And thank you very much for reminding them they can't stand up and leave in the middle of the presentation because it's being recorded. So, you're all stuck here. Here we go. So, as you mentioned, we will be talking a little bit about some of the products here today during the talk. So, we do have the Safe Harbor statement. Please do not make any stock purchases or trades based on the information you receive here and, certainly don't ever do that from any information you receive from me.

Chris Niggel: If you look at my portfolio, I'm going to be working forever. But that's not a bad thing because, I actually really like my job. I think you're going to hear this a lot from the employees and the customers who are up here talking to you today and tomorrow at the conference. I'm in a pretty unique position. My title is Director of Security and Compliance. My name is Chris Niggel. I've been with Okta for about four years now as an employee and I was a customer for four years before that.

Chris Niggel: So, I've implemented Okta, started with about 500 people, drew that to over 10,000 users ... There's a phone right there. I like what we were doing so much here at Okta that I had to come and join the company. And I joined this part of the security team because here at Okta we do things a little bit different. Compliance is a function of security. So I report to our CSO who reports directly to our CEO. Now most organizations, compliance is part of legal or is part of finance right, and they're the groups that you love to hate.

Chris Niggel: They're the teams who are trying to implement controls to meet regulations or meet requirements without necessarily working with IT or, with security to actually ensure that those controls are being done in a way that benefits the organization. And the security team hates the compliance team because the compliance team in their eyes, they're just checking boxes. They're not actually improving the security. So, here we've merged these things, these two things together. And I think what that really allows us to do is it allows us to use security to drive compliance.

Chris Niggel: All of the frameworks that we adhere to FedRamp, HIPAA, and we'll talk about those in a little bit, are able to drive the security and the safety of our customers of all of our customers and protecting their data. So, it's really, really exciting. Now, compliance right, as we all know, isn't the easiest thing in the world to do. It's complex, takes a lot of time. When you're working with your auditors that takes effort away from your engineering team, your operations team, obviously your compliance group. It's very expensive.

Chris Niggel: And with compliance it's really easy to move security backwards. Because compliance frameworks are never able to keep up with technology. So, we look at something like FedRamp, is a great example right? FedRamp Moderate requires people to have 15 character passwords, complex, upper case, lower case symbols, numbers, changes them every 60 days. FedRamp High wants you to change them every 30 days which makes no sense. We all know that trying to implement those sorts of controls doesn't improve security. It moves it backwards. Because people can't remember those passwords so they write them on sticky notes and, they tape them to the bottom of their keyboards or bottom of their machines. So, we're implementing security controls but we're removing security from our organization.

Chris Niggel: The last part, regulations are a moving target. As we mentioned, they can never keep up with security. But when we look at GDPR, CCPA and some of the new privacy laws that are coming out worldwide, we are constantly been asked to meet new regulatory requirements. We see that at Okta and we hear that from our customers. So, we have been ever increasing our regulatory scope and our compliance scope at Okta to meet those needs. When I started four years ago, we only did SOC 2 Type II. Since then we've expanded that program at your request to include ISO 27001, 27018, GDPR. This year we achieved FIPS validation for Okta Verify for our multifactor product which allows it to be used in electronic prescription of controlled substances as well as federal and financial applications. Gramm-Leach-Bliley, PCI, the list goes on and on.

Chris Niggel: And that requirement, those regulations keep increasing. And I know that you see the same thing in your environments. So what this does, is it makes your jobs harder. It's more time from you, from your engineers, from your teams. So, how do we improve this? How are we able to scale without absolutely killing our engineering and our teams that really should be building new products, not working on compliance. So, traditionally we mentioned compliance teams operate separate. It's kind of a check box thing right? We look at a control framework like FedRamp, like ISO 27001 and we try to implement those individual controls, those individual regulations into our security program. And that just doesn't work. It doesn't scale and it's not secure. Those frameworks can even have competing requirements.

Chris Niggel: So, as we mentioned FedRamp has very strong password retention requirements. Some of our regulatory, financial regulatory customers have different requirements. We have to actually remove accounts that aren't being used but with FedRamp, you're actually supposed to retain those accounts because they want to ensure you never reuse an identifier. So, these regulations compete. Traditional compliance doesn't do a great job of resolving that. So, at Okta we flip compliance. Instead of looking at the controls and trying to apply them to our environment, we look at our environment and map those back out to controls.

Chris Niggel: So, we look at all the things that our teams are already doing right. Our engineering team has a fantastic release and review process. The change management process is some of the best that I've ever seen. And I'm not just saying that because I work there. We take that information and build a control's database and then map it to the compliance frameworks that we want to achieve. What that allows us to do is, move quickly. When our customers ask us for new programs like PCI, we're able to achieve that very, very quickly.

Chris Niggel: When we want to do something totally different like the FIPS validation project ... So we completed the FIPS project in I think it was about three to four months. Never could have done that if we had started with a traditional approach. Using this way, we had a strong map, a strong database of all of our controls. We were able to apply that immediately and be able to generate reports, gap analysis and fix those holes.

Chris Niggel: The other way we were able to achieve success here is by working with partnerships. So, Okta is built on top of Amazon Web Services and that allows us to inherit a lot of the physical security controls for our data centers from AWS. By building on top of their third party audit reports, SOC 2 reports for example, we're able to inherit those controls. Take them off of our plate and allow us to focus on the things that we do really well. And because we have such a strong security and compliance program here at Okta, you've got the ability to take that same benefit.

Chris Niggel: We have a number of private sector customers who are building on top of our FedRamp authority to operate. Those organizations no longer have to try and build and test the access control set, the physical security and, the environmental security set because they're able to inherit that from their partners. We do that and we continue to offer those same capabilities to you.

Chris Niggel: So, we talked a bit about access control. That's a huge area of every compliance framework. So, I want to dig into it in a little bit more detail. What we have here is a pretty standard identity lifecycle. So, the talk is lifecycle management so I did have to get into this part. It's a pretty standard identity lifecycle mapped to our SOC 2 controls. So, if you're not familiar with SOC 2, it is essentially the defacto standard in North America for demonstrating security effectiveness. Security control effectiveness.

Chris Niggel: Our SOC 2 report is about 120 pages I think, and in there, these are the specific controls that test each area of the access control section for a lifecycle management. When we hire, when we provision new accounts, when our employees go through role changes, change access, either get access to new applications or change into new departments. And, then finally we have the retirement, when they no longer work for the organization. How do we ensure that we disable those accounts? These are pretty common problems across every compliance framework and I think every organization has some challenges with managing identity and access control.

Chris Niggel: So, let's take a look at each of these sections individually. Here at Okta we use Workday as a master. So, our Workday instance is connected to Okta which then automatically is able to provision applications downstream based on that person's role, group membership and various attributes. Now, one of the neat things that we're able to do with is, we're able to connect it to our learning management system to help ensure that when employees join the organization, they don't get access to data until they've completed their security training.

Chris Niggel: They hate me for that. But my regulators really like it. So, we're able using lifecycle management and provisioning, we're ... import the user directly from Workday on their first day of business, feeds them into Okta, they're automatically provisioned to the applications they need on day one. They go through their security training once that completes, the information is back ported into Okta, they're joined into another group and, they get access to our sensitive data.

Chris Niggel: Now, hiring and provisioning would be great if that's all that we have to do but unfortunately, we all need to deal with role changes as well. People need access to new types of information, new applications as their jobs change. Maybe they haven't even actually changed roles but the technology has modified. And also we have to ensure that that's done in a way that meets our written policies and processes. When we look at SOC 2, that's what it's all about. It is, are you following the processes that you've written, you've developed for your organization?

Chris Niggel: Now, traditionally we solved this problem with IT right. If you had to ask for access to a new application you called up the IT help desk, you filed a ticket. They sat on it for a week, eventually you got access to that application. So, with Okta, in the application assignment workflows, you're able to do this and retain ownership with the business owner. As Assistant Administrator deploying Okta, this was the single biggest thing that I could do to improve the uptake in the usage of the system and to get those business groups on board.

Chris Niggel: Because they'll tell you, the sales team, they hated me. They hated IT. In fact, they hated IT so much that they started their own IT group. They had shadow IT. This is the biggest shadow IT group I ever saw. They had about 40 people specifically to make sure that when a sales person was onboarded, they had access to the services they needed on day one. Because if they didn't have access on day one, they were already behind the eight ball when it came to meeting their quota.

Chris Niggel: With application assignment workflows we were able to convince the sales team to put Salesforce in scope, to give security and IT the visibility and control we needed to ensure that people were removed when they left the organization or changed roles. But let the business unit still have all the ownership. If they needed to add someone, they could do it with the AB assignment workflow and never have to contact IT. This was a huge win for us.

Chris Niggel: Now, it didn't give us everything, no. Because through those access reviews, when we had an account that needed to be disabled after 30 days because it hadn't been used, that's not something that Okta could do and we had to write tooling to make that happen. Now, with the automation's feature you'll learn about in the security roadmap sessions here this week, we now have a light weight workflow engine that will allow you to build these access reviews into your environment. If an account hasn't been touched in 30 days, Okta can automatically disable that account for you.

Chris Niggel: How many people do their access reviews, their monthly or quarterly access reviews via Outlook? A calendar invite pops up and says, "Hey, you should probably check your apps". A lot more of you than are raising your hands I'll bet. So, we can start to automate those sorts of capabilities. Giving you the ability to not have to rely on that calendar invite. That meeting will inevitably pop up while you're on vacation and then not get done. Now, the automation's tool and the capabilities in Okta aren't going to work for everyone. These are excellent tools for some kind of lightweight access management and really putting access management that you need for the bulk of your organization.

Chris Niggel: But, if you're using significant on prem systems, if you're in environments that have really complex toxic pair type problems so for Sarbanes–Oxley, toxic pair would be somebody for example who can both write checks and cash checks. Then you've got revenue, or your recognition issues. Okta has kind of limited capability to enforce those types of checks. And so if you're in a real technical environment, you may want to look at IGA or identity governance solutions like Sailpoint that can help you bring those tests in and automate those tests in for the areas that Okta doesn't fully cover.

Chris Niggel: The bottom line here is that you want to make sure you're applying audit and access controls where it makes sense. So, we talked about moving security backwards and it's really easy for compliance to say, "I'm going to lay down the law, I'm going to make our applications super secure", and you end up making your environment less secure. I'll tell you a story.

Chris Niggel: When I was an administrator, this was about 10 years ago right, two factor authentication was all the rage. I said I'm going to role this out to my entire organization. I turned onto MFA for all of our Cloud apps. And that was great for about a day. And then I had and I'm picking on sales again, I had all of our sales guys lined up at my desk with torches and pitch forks because they weren't able to run meetings. They weren't able to run demos to prospects because they left their MFA key on their desktop at home.

Chris Niggel: I put security in the wrong place. Now I wasn't using risk based solutions to identify where I needed to put the right type of odd. So in that case, I actually made the environment less secure because instead of using Webex they just went out and used one of the other dozen collaborative tools online in the Cloud. The Cloud changed everything for us. Where it used to be almost impossible for someone to buy new applications, now they can just do it with discretionary spending on their credit card if it's not free. So, when you don't put security in the right place, you actually reduce the security of your organization.

Chris Niggel: Finally, of course with terminations, every audit framework wants to ensure that you're removing access to data when an employee no longer needs it. With Okta and SSO this becomes very, very easy. Again, by connecting this to your HR system, the termination ticket comes through HR, it goes into Okta, Okta immediately shuts off access to all of our downstream apps. Now when I have to demonstrate this to our auditors, I don't have to go to box to Atlassian, to Cornerstone, to Salesforce, To JIRA. I just go into Okta to show that the account was disabled there. That removes access to everything downstream. I'm done. Saves me a huge amount of time and way, way more screenshots than I like to think about.

Chris Niggel: So, when we look at lifecycle management and compliance, the first step that we took was centralizing our applications on Okta. When we do that we get the provisioning problem is solved, the de provisioning problem is solved, we have the identity governance to help ensure that applications are not being assigned inappropriately depending on an individual's roles. We've got the new automation's capability which allows you to now build in and automate a lot of those things that we used to have to build as administrators. Shutting accounts off, ensuring that are any of our time base controls are met without having to do that with outside resources or with calendar reminders.

Chris Niggel: And then finally, we want to use tooling where it's most needed. Make use of your partners and your vendor's solutions. They have SOC 2 reports, they have ISO 27001. You can inherit from those and you can find solutions like Okta which will solve a lot of your identity problems when you're trying to build solutions or, build environments and you get to inherit that. That reduces the amount of work that your compliance team has to do and allows you to be more efficient and scale more effectively.

Chris Niggel: Now like I said, I don't want you to trust anything that I've told you. So, I have with me Sam Bryson from Medallia who will give you a real customer's perspective on this problem.

Sam Bryson: Hello. Thank you. Well good afternoon. How's everybody doing? Okay, so everybody awake? Had the turkey coma going on? So, my name is Sam Bryson. Trust will verity. The picture doesn't look like me but it is me. It's okay. And I was invited by Okta to talk today a little bit about some of the things that Medallia is doing in terms of Okta implementation and audit compliance.

Sam Bryson: I have been with Medallia for approximately five years. We've been using Okta for ever since I started with that. Quick recap if you don't know what Medallia is. We are a customer experience platform and, I could go on and on with a whole bunch of buzzwords but you can just Google it and it's cool stuff.

Sam Bryson: And let's actually talk about compliance. So, this is what I like to call a Tale of Two Audits. I am relatively new to IT security. I've been in IT for about 10 or 15 years but over the last two or three years I've been sort of dragged kicking and screaming into conference rooms with a whole bunch of people that say, please do this and show me this. So, we're going to talk a little bit about how that process has worked both before Okta and after Okta.

Sam Bryson: So, that's what we're going to talk about. Okay, quick recap although I don't know why because at this point, does anybody not know what lifecycle management is and how cool it is and how amazing it is? I was actually in a session a little bit earlier today and I saw almost an identical version of this slide and I was like, "Wow, they drew it way better than I did". So that's what you get for having an IT guy, not a graphic designer. But, one of the things that I think that's so great about lifecycle management of course is, you start with Workday which is our HIS system, we feed it into Okta, we get all of our tools and services, we happen to be a G Suite customer. And I was just reflecting on this the other day and one of the things I think that was great about it, I realized is that I have not touched Google account creation in four years.

Sam Bryson: I have not created a Google account. I have not deactivated a Google account. I have not had to do anything to them because Okta does it all for me. And I was like, "Yay, laziness for the win. I don't have to anything". Okay, that story aside, talk about audits.

Sam Bryson: Medallia has done a few. I stole this right off of our website. I guess we have a bunch. I've probably sat in at least half of these meetings and of course in addition to all of the certifications and compliance audits, we have customer audits. Medallia actually has financial services, we've got retail, we've got HRM, we got a whole bunch of customers and all of them like to do audits of us. So, does anybody here actually sit through audits? Show of hands. Does anybody here ... Okay, right. You'll kind of like this one then. So, what are audits like?

Sam Bryson: Well, the first thing I realized was that an audit is really just about questions. It's literally asking a whole bunch of questions. What is your active directory management tool? I didn't know we had to have an active directory management tool. That was something new. It was like, "Okay". How do you ensure departed employees don't have access? Well we could turn things off. I don't like arguing with auditors because they just kind of keep going deeper and deeper into questions. They go like, "Why did you do this one thing?".

Sam Bryson: Pardon the language. I swore I wasn't going to swear too much about it but it's kind of like that card game Bullshit right where somebody says "Prove it", "No". "You're lying, you didn't do it." So that's just an example. The most important question though that I've always wanted to know about auditors, how come they never look that good in real life? And I apologize to any auditors in the audience here. But, if you've been in a conference room for four hours, you don't look like that.

Sam Bryson: So, my first go around with an audit. I literally got dragged in and my boss said sit here and answer these questions. And I was like, "Okay. I can do this, this will be fine. No big deal". I didn't really know what the questions were and for us at the time, lifecycle management was really just SSO. We had just barely implemented Workday, we were getting started with it. We didn't really quite understand what was going on. We knew it but, we didn't really deep dive, know everything that was going on. And unfortunately auditors really like to deep dive. They want to know everything.

Sam Bryson: So, the first thing I had to do was learn about all of this. I hate PowerShell. As much as I would like to admit it. Personally I do like my colleague's note that says, this one here works well. That's a good one. Because we have a whole sheet of this. I literally have a Google doc with about three pages of different PowerShell scripts to try to run and stuff and they're kind of terrible. But this is what the auditors wanted to see. They said, show me an export of Active Directory and I learned that even though Active Directory is 20 something years old, there's no export button. Why?

Sam Bryson: Okay, so, last time around. We fast forward a couple of years, it's been two or three years in doing this and we really, really deep dived into how Okta works. How HIS works. As an organization we also grew our security and compliance team grew which by the way, is the same team. So, I'm pretty sure they hate themselves according to Chris' definition. Going to give them a complex now just because of that. And they got a lot better working with the auditors and working with the vendors. So, nowadays we've got the questions beforehand, we knew what was going on, we could give them screenshots beforehand so really, when it came down to the auditor's coming on site, it was just, okay give me a sample set.

Sam Bryson: I mean if you've had that happen where they say show me these last 20 departures and show me these role changes and, show me how this ticket process worked. And for us it was really explaining how this process works, having to convince an auditor that Active Directory really has nothing to do with it anymore was kind of the problem. And that took a little bit of time. But once we demonstrated to them how this process worked, then it became a lot easier especially on annual renewals because a lot of you I'm guessing, have customers that have to do annual audits because of their compliance framework.

Sam Bryson: So, a lot of times we'll get the same audit back every years and it's just like, "Okay, done". They like to check their boxes. We like it for fun. And really it comes down to two questions. Every auditor I've ever wanted to know at the end of the day, is it part of the employee still active, do they have access? Does the right kind of role, does the salesperson have access to Jira, does an engineer have access to Salesforce? The answer should be no unless there's some kind of super awesome conglomerate of an engineer and a sales person. Maybe.

Sam Bryson: So, what did this sort of help with? Well, once we got this framework down it was a lot of these kind of evidence based approvals of who could do what, who had access to what. Here are just some examples of what Medallia has shown. Here's a departed employee, what access did they have applications to? Done. That's it. That's easy. One screenshot. Didn't have to pull a log. Didn't have to do anything.

Sam Bryson: Show me a log in. Okay. Pull up a browser. Done. Log in. That was it. "Oh, I'm logging into the AD Network", "No, you're not. You're just logging into Okta". "Oh, okay". That was it. Nice and easy. Took maybe 20 seconds. A couple of other examples. New application request. This one I kind of like. I thought this one was sort of fun because a lot of times they ask in the onboarding example, how did the salespeople with the pitchforks hate IT? Thanks a lot for that by the way. Just roll me under the bus. It's okay.

Sam Bryson: One of the things we do in Medallia is rule's based groups. We pull all that information from Workday. Are they part of the department's sales? Are they part of the sales development team? Are they part of sales operations? We use those groups ... We use those rules to create groups, those groups to create push groups and access to applications. Either way how we want to do it. So, it was very, very simple. They could say who on the sale's team has access to Salesforce? And we could say, the sale's org has access to Salesforce. Oh, what do they do if they switch roles? They're no longer in the sales work, therefore they lose access.

Sam Bryson: So, we automated all of that. So, one of the challenges we actually had ... A little sidebar tidbit here was, the auditor wanted to have, said where's the ticket that shows that you switched access? I said, well we don't have one because it's automated. We don't do that. I don't like tickets. I know people don't like submitting tickets. I don't like receiving tickets. So, the more I can get those out of the way, the better off everybody is.

Sam Bryson: So, that's really how lifecycle management, that automated access, automated de provisioning, new access request, that's what lifecycle management really helped in terms of our audits and our compliance features. But, just because I'm standing up here, I thought I might talk a little bit about other things that Okta does in terms of security compliance that's kind of fun.

Sam Bryson: Who has admin access? Very common question. Who has access to which applications which kind of goes back to what we were talking about with the groups and the role based things. And of course the prove it part right. That's always the question. Question of the day. So, admin access. Great, screenshot, done. It's very clear cut, it shows who has access to what application et cetera. This was some of the one sample of redacted system logs. Well, Okta has system logs. We've all dived into the system report. They could do better. But, you know their okay. We like them.

Sam Bryson: More importantly though it can very, very clearly shows and demonstrates that workflow. It shows here is the Workday import. It shows here is the assignment of its application. It shows when this new hire was terminated. And it says deactivated and you see right above it, we moved from Google. We've moved from Salesforce. We've moved for Jira. It's all done. It's nice and neat.

Sam Bryson: Okay, deep breath. That's actually it. Nice and neat. Simple. Right? Now the last thing I always like to talk about here is that you give somebody a microphone especially an IT guy who's had too much sugar and not enough sleep and all of a sudden you're talking like this and goes, "World domination comes down to this". But what we're really going to do is actually talk about is Q&A. So, I'm going to invite Chris back on stage and I will try to slow it down a little bit and happily answer any of your questions. Or point to this guy and let him do it for me.

Chris Niggel: Yes, thank you very much. So, we do have some microphones that are mobile so that they can come to you. I've got a couple of great resources and we've got about 10 minutes.

Sam Bryson: Before you get started with the question real quick ... I did want to point out one of the things I really loved about Okta was you talked about how quickly it took you to build that FIP's compliance and so forth? We just recently just switched over to Okta Verify as a two factor tool and not more than three days after we rolled it out, I actually got an email from the security compliance team saying, "Hey, we got FedRamp. We need FIPS", and I was like, "Okay, cool. Let me Google that". FIPS Okta. Early access check box, is that good? Yep, all done. So, that's the best kind of IT in the world. Anytime I've got to check a box and not run a PowerShell script, I'm doing good.

Speaker 3: How do you deal with the special snowflake apps that are hard to integrate into Okta?

Sam Bryson: I'm sorry?

Speaker 3: How do you deal with lifecycle management for the apps that you can't integrate into Okta? The stuff that doesn't support SAML, doesn't support single sign on?

Sam Bryson: Well, for us, a lot of the conversation for us depends on what is the app and how security risk compliance is it? Obviously there are some shadow IT people who go out and there and say, "Hey, here's this really awesome app for creating bit emojis to put inside our user profiles". We don't care. Otherwise though, there are applications. Legacy applications for example, on premise applications. I think we still have like two that we haven't migrated over. And for that one unfortunately, we do have to dig into the app or dig into AD.

Sam Bryson: If it's not in Okta there's nothing we can do about it other than show that access was removed. The good news is though that most of the organization like in my particular company ... Again we're like 99.99% SAS based. I would say 98% of all our apps are integrated into Okta. So, we only have two and we're planning on moving those over.

Sam Bryson: But tell your boss, spend some more money and get on the bandwagon.

Speaker 4: Question over here.

Speaker 5: I have a quick question on the consumer space and how you manage access for consumers. Now with the CCPA regulations coming in, is Okta implementing something like UMA or any of those protocols or standards or what is your guidance to build apps for consumers to be compliant with CCPA?

Sam Bryson: Guidance for continued compliance for CCPA? Sorry I-

Speaker 5: I think CCPA is due next year right? I mean we have to be compliant by that so, does your product offering has anything you could leverage?

Chris Niggel: Yes, so for CCPA for those that are not familiar is the California Consumer Privacy Act. It's essentially our state's response to GDPR in the privacy regulations and capabilities within the EU to try and get that applied inside of at least California given the number of security breaches and personal data misuse that we've seen in the news over the last basically year. So, for CCPA, there's two ways to look at that. The first one is for your employees. So, we first as part of our GDPR compliance do expect that we'll be able to meet the requirements for subject access requests and data deletion for both employees and for customers, if you're using Okta in a customer identity and access management role, underneath the CCPA.

Chris Niggel: So, that's kind of the big area organizations are primarily concerned about right, is those subject area access requests and deletions. When it comes to your downstream applications, because that's where the real challenge is, getting those applications integrated into Okta and using lifecycle management will really help you meet those additional challenges. So, one of the things that we've seen customers do, is a part of data deletion requests is, they will actually in Universal Directory, replace the personal information with randomized strings. Using lifecycle management provisioning that data automatically gets pushed down to any application that supports synchronization and you now have removed the personal data from all of those downstream applications.

Chris Niggel: That will allow you to fix or at least, solve a portion of the problem. For applications that don't support provisioning or updating of personal data, then you'll need to retain a database and go through those manually. So, we're part of your solution. We're not going to be able to solve CCPA or GDPR for you.

Speaker 4: We have a question over here.

Speaker 6: For your terminated users, how long do you retain that information and is it that determined by Workday or is that something's that's controlled by Okta?

Chris Niggel: For terminated users, how long do you retain the information? It can be done either way. Either through Workday or through Okta. What we do internally is we retain the information. We leave the user in a disabled state inside of Okta for a period of three years which allows us to meet the requirements for FedRamp. Other regulations may ask you to delete that immediately. You guys do anything special?

Sam Bryson: All of ours is dictated by our data retention policy and saying whatever it is. But thankfully you don't charge for disabled users so-

Chris Niggel: We do not.

Sam Bryson: I don't care. I have no problem leaving them in there. I believe as an organization we, a long time ago decided as a best practice, we would never use user names so, we just decided we'll leave them in there.

Speaker 4: We have another question at the front.

Speaker 7: Hey guys. So, I got a twofold question. It deals with Workday's Master actually. So, you guys implemented it to Workday, I've seen one of the biggest challenges in our organization at least was actual proper data coming in from HR. Because, initially getting a process automated was very challenging. So, how did you guys deal with that challenge? Basically to the point where you could say I'm fully automated and, in parts, so, once you got automated? How did you guys deal with any sort of role based access control?

Sam Bryson: Well, in our company we kind of lucked out a little bit because at the time our HR department consisted, for the people that we're doing all the data entry, consisted of two people. And we grew from about 250 to 1300 employees in four years and they were already processing 20 a week and they wanted nothing to do with that ever again. So, in our case we kind of lucked out a little bit because HR was already in talks with bringing in Workday. So, by the time that IT got involved, we were kind of like, done, easy, go for that.

Sam Bryson: Obviously not everybody's cup of tea. To further that, when we did have that integration we built, we really just made it a priority within the organization team. It was a lot of internal ... I wouldn't say office politics, but office communication about making sure we were reaching out to leaders and reaching out to different teams saying we are going to establish this weekly cadence. So, we had 127 applications give or take and it was like, alright we're cutting Google. This week we're cutting Salesforce. Next week we're doing this. I think most of my company got really, really sick and tired of all the random animated gifs I put into these emails every week that says this thing is moving, you need to pay attention to this.

Sam Bryson: But, in the long run, I definitely think it really, really helped in our case though because now every time we bring in a new service, the whole company is trained to think, does it have integration with Okta? That's literally the first question anybody in IT asks of any new service evaluation is, do you have SSO, do you have skin provisioning or push groups or whatever? And we haven't turned anybody away because of that but, it definitely puts it towards the bottom of the list.

Chris Niggel: I think we can do one more. I see one in the back.

Speaker 4: Yes, one in the back.

Speaker 8: You mentioned PowerShell you said you didn't like it too much. I was wondering if ... and the PowerShell scripts that you showed all were pulling information out of AD, do you have any need or would you foresee any need for pulling data directly out of Okta or maybe putting data back in Okta using PowerShell or some other automation tool for the purposes of audit or just day to day operations et cetera?

Sam Bryson: I think I understood your question. You were asking if we've ever used like PowerShell or anything like that to pull data out of Okta?

Sam Bryson: In or out of Okta? No. I'll take that back. We used to. Occasionally we would actually cheat. We would push groups to AD but then Okta actually thankfully about a year or so ago, came out with a feature that said application assignment report which was one little check box button on the application page. It said, show me all the users in this app. And that eliminated that. So, that's once less thing that I had to do in AD. But yes, there used to be a couple of little hackey work arounds to basically put the data into AD so we could run reports on it and then pull it back out of Okta, that kind of way.

Sam Bryson: But, we've effectively stopped doing that.

Chris Niggel: So, there used to be a PowerShell library in the community. It was community developed and maintained. Part of the Okta community that you can access through your support page. I would check that to see if that PowerShell library is still active. Otherwise, I would recommend talking to your account exec, your customer success manager and we can see if there are other resources that we are aware of inside the community to help out with that. And I know that used to exist because I used that pretty heavily to replace some ... Now being replaced with the automation's capability.

Sam Bryson: And we can all just ask Chris after this session to say, I solemnly swear I'll add better reporting to Okta right? Going to do that? Export buttons everywhere.

Chris Niggel: I'm pretty sure I saw a product in the back so, your concerns are being heard. I use Okta to run our audits as well so believe me, I feel that pain as much as you do.

Chris Niggel: Cool. Awesome. So, thank you all very much for attending.

Can you use compliance to both secure and enable the business? With Okta Lifecycle Management, we think so. Join Sam Bryson, Global IT Support Manager from Medallia, and Chris Niggel, Director of Security & Compliance from Okta, to learn firsthand how you can deploy LCM and Identity Governance solutions to not only reduce audit costs, but also improve employee productivity.