Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Putting a lock on password management

Paul Aldridge, CIO of Genomic Health, Inc., wanted his technology team fully focused on supporting a next-generation network for cancer research. Yet with each user requiring logins for as many as a dozen software-as-a-service (SaaS) sites, password management such as lookups and resets were chewing up their time.

Genomic, based in Redwood City, Calif., is a firm believer in SaaS, subscribing to applications for performance reviews, expense reporting, payroll, employee benefits, vacation time tracking, customer relationship management, and more. "We're in the cancer diagnostics business, not back-office services. We use SaaS so IT can concentrate on things that are of value to us," he says.

Aldridge is not alone. Gartner predicted that worldwide SaaS sales would total $10.7 billion this year, a 16.2 percent increase from 2010. As companies become more comfortable with the SaaS model, they are subscribing to services for numerous individual functions.

As Genomics' pool of SaaS sites has grown, though, so has the complexity for the companys 500 employees. "Each provider has a separate password management process and a separate password convention," he says. "Even if users wanted to make it easier by keeping their password the same, they couldn't."

To track all their logons, users posted sticky notes with their passwords and other critical data on their monitors and desks. Rather than admonishing his users for this risky strategy, his team searched for an alternative. Aldridge wanted to simplify the situation so users weren't forced to take that step.

He found his solution, ironically, in another SaaS offering from Okta. Oktas cloud-based identity and access management service acts as a secure, single sign-on gateway to other SaaS offerings. Aldridge calls it a "password locker."

Each user is provisioned an account for the Okta portal where he or she logs in and enters URLs, usernames and passwords for all other corporate SaaS services. From then on, a customized Okta page provides access to other sites. Okta uses Security Assertion Markup Language (SAML), the XML-based framework, to exchange authentication, entitlement and attribution data with other providers. The security tool works with Microsofts Active Directory for centralized management and control, and features a directory of hundreds of pre-integrated on-premise applications and cloud-based services.

Aldridge calls the Okta interface intuitive and says users are pleased. "It makes their lives so much easier," he says. It's also freed up IT from dealing with the tedium of password management. "There is an administrative burden that has been lifted."

IT also gained a level of visibility and control they previously did not have with user passwords. Through a central dashboard, IT can make sure that users are following policies of frequently changing their passwords and can shut down accounts immediately if an employee leaves or is terminated. The team also can use Okta to generate reports on user activity to ensure license compliance.

"We've improved our security posture and are able to manage employees' behavior so they are compliant," Aldridge says.

While Aldridge credits Okta for its attention to security, that does not allow him to shirk responsibility. He regularly audits individual SaaS providers to ensure they have proper security controls in place to protect user and corporate data.

Currently, Genomic uses two-factor authentication for the Okta portal, but plans to soon move to three-factor (username, password and RSA token) for even tighter security.

Aldridge says he's happy to kiss the days of sticky notes and password lookups and resets goodbye so that his team can turn its attention to more important tasks.

Read more about industry verticals in CIO's Industry Verticals Drilldown.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Billion, etwork, Gartner, Inc., Okta, RSA
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Access control and authentication, business, business issues, cloud computing, CRM, Genomic Health, Genomic Health Inc., genomics, internet, Management Topics
Latest Blog Posts
Whitepapers
  • Developing an Information Strategy - Strategize, Align, Govern, Execute, and Optimize
    An information strategy defines how a company will use the data it collects to achieve a competitive advantage. It is a comprehensive, constantly evolving plan that encompasses five distinct actions. In this white paper we explore how these five vital actions, as well as the technologies that enable and support them, can help organizations develop an effective and broad-reaching information strategy that drives positive change.
    Learn more »
  • Seven Tips for Securing Mobile Workers
    Seven Tips for Securing Mobile Workers is intended to offer practical guidance on dealing with one of the fastest growing threats to the security of sensitive and confidential information.
    Learn more »
  • Top 5 Threat Protection Best Practices
    Small businesses are especially vulnerable to computer viruses and lost or stolen data, since they typically lack the IT resources to deal with these threats. Inadequately protected computers open the door to annoying infections, or worse, serious business disruption. Below are five simple and effective strategies to help you protect your business against an ever-increasing number of threats.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.