Fairfax Media, an innovative and digitally progressive media company in Australia and New Zealand, needed a solution for quickly implementing their growing number of SaaS applications that also integrated with Active Directory.
Director of Security
Support Burden with Custom Integrations
To provide secure application access and improve user productivity at Fairfax, the Technology team built a homegrown single sign-on (SSO) solution, working back and forth with app vendors, implementing SAML themselves, and building the multi-factor authentication (MFA) piece as well. As the number of SaaS applications grew, so did the burden on Technology. They needed to integrate each new app themselves with their identity directory—Active Directory (AD). Obviously, this approach slowed down app rollouts, and also required a significant amount of time to build and support these integrations.
The task was already daunting and continued to grow as the business continued to add more SaaS apps. David Tregoning, Systems Architect at Fairfax, recalls “it was taking substantial time to put applications in. We were looking for something that would be a turnkey solution to help us speed up that process and put less of a burden on our staff.”
Steven Christall, Director of Security adds, “without an out-of-box integration to all these third party SaaS apps, we just couldn’t keep up with the business rolling them out.” Spending weeks aggregating information and pushing new apps through was no longer a sustainable option for the Technology team or the company.
Securely Managing User Identities across Multiple Systems and Applications
With more than 100 users needing access to 30 individual Amazon Web Services (AWS) accounts, whenever someone leaves the business or changes roles, stranded accounts are likely to result. Christall recognized the security risk of having manual processes to manage these accounts. With this in mind, he wanted an AWS-approved solution to implement best practices for user management and to provision and deprovision users faster and with less manual work. Overall, Fairfax was seeking a solution that integrated with AD and had real-time sync. So disabling a user in AD would also disable cloud accounts almost immediately, eliminating security risks and unnecessary costs.
Complex AD Environment
Since Fairfax is comprised of a number of business units that have merged over time, they have a diverse AD environment. Technology wanted a solution that could bring together five forests and 29 user domains without them having to do significant manual work. Some previous cloud systems required substantial work to prepare the identity information for syncing, and this was not maintainable in the long-term.
In summary, Fairfax needed a solution that had pre-integrated apps, real-time AD sync, and the capability to unify multiple directories. Although not a technical challenge in itself, time was another factor. Technology needed a solution up and running fast, with the least amount of manual work.
Through the OneLogin platform, the Technology team at Fairfax was able to quickly implement a unified directory, real-time AD sync, network- aware MFA, and out-of-the-box app integration.
To meet growing demands, Fairfax looked for a solution that provided integration into a large number of SaaS apps, especially the ones they already had. Technology compared its list with the OneLogin app catalog, which currently has over 4,000 pre-integrated applications and continues to grow.
OneLogin also has the flexibility to set up new applications easily. Tregoning shares that for them, setup comes down to how well the application vendor or implementer understands SAML. He says, “In the instances where we’ve been in control of both ends, like ServiceNow for example, it was about a 30-minute setup”.
Thus, it takes only minutes for his team, compared to the months of building an integration themselves.
Not only can Technology implement apps more easily and quickly, but they and their users do not have to wait a full day for the apps to sync. Apps implement in near real-time, “within 15 minutes at the most,” states Tregoning.
Standardized Multi-Factor Authentication
Fairfax had built a custom MFA to help secure remote logins, so a standardized MFA solution with similar or better functionality was a requirement. OneLogin MFA functionality helps the Technology team deliver three tiers of authentication security:
As mentioned above, Fairfax uses AD as the user directory, but with multiple AD instances, it has incurred significant operational overhead in previous integrations. Technology unified the disparate directory sources through OneLogin Active Directory Connectors, which can be installed in minutes with no firewall changes required. The connector automatically discovers all forests and domains, and uploads the complete organizational unit (OU) tree to OneLogin. After selecting from which OUs to sync users, the users are pushed to OneLogin in the cloud and automatically kept up-to-date going forward.
OneLogin enables companies to still control access to cloud apps through AD by acting as a unified directory that leverages user information like group membership from external directories in real-time. For example, an admin can go into AD and update identity information such as Manager, then OneLogin will read it in real-time and modify access control attributes like Role.
For apps or web services like AWS, where users were not passing through any type of company gateway, Fairfax can perform best-in-class AWS user management through OneLogin. Technology can now use role-based access more effectively for AWS as well. When a user requests AWS access, the support team only needs to add the person to the proper group, and that person immediately gets access, rather than having the admin go into AWS to set up the account manually.
Real-time Sync with Active Directory
To ensure the security of company data, user accounts must be disabled as soon as the user leaves. Christall affirms, “From a risk and governance perspective, the near real-time disablement of accounts is a key thing. You know that access to 25 SaaS products gets cut off when a single account is disabled in Active Directory by the service desk.”
OneLogin synchronizes users in real-time, which means creates, updates, deletes and suspends are pushed from AD and other apps within seconds. Real-time sync makes onboarding more efficient and provides Technology with that essential kill switch for protecting data.
It took only a week and a half to implement OneLogin. Technology has since seen several key benefits, as have end users at Fairfax.
Reduced Support Burden
Today, Fairfax users can seamlessly access their apps to do their job from anywhere without the burden on Technology teams to support and keep up with building custom integrations. With unified directories and the ability to use OneLogin as the gateway to internet-based applications and services, Technology also saves time by not having to clean up stranded accounts, especially in the most robust of platforms like AWS. Password management is centralized and deprovisioning is real-time, effectively disabling all affected accounts and closing the security gap.
Another example where Technology enables users to save valuable time is through self-service password resets. The year before Fairfax implemented OneLogin, they recorded 3,138 password resets in ServiceNow, its support hub. Christall considers the intangible benefit of an empowered user: “They can self-service reset. They’re not sitting in a phone queue or wasting time waiting. On weekends or outside service desk hours, they can also effectively get in, which is an additional bonus.” Furthermore, Christall figures that at about 10 minutes per password reset, their teams have since avoided those costs (approx. 40,000 AUD) and wasted time (approx. 500 hours).
Fast App Implementation and Heightened Perception
Technology now implements applications in a day or less and in a way that, Tregoning states, “is far less onerous on my peers and me.” Additionally, other departments have started to perceive Technology differently. In some cases, they’ve asked upfront how long implementing an app will take, expecting to hear weeks or months, and to their surprise, the team replies, “Whenever you’re ready.”
Working closely with a technology partner helps enable this readiness. “One of the greatest things I find with OneLogin is the relationship we have with support and the regular calls we have,” says Tregoning.
Christall adds, “Generally, Technology has been perceived to be nay-sayers. Having these sorts of toolsets allows us to say ‘yes’ more often and more quickly, which is very important from a service delivery and perception point of view.”
OneLogin brings speed and integrity to the modern enterprise with an award-winning SSO and identity management platform. Our portfolio of solutions secure connections across all users, all devices, and every application, helping enterprises drive new levels of business integrity and operational velocity across their entire app portfolios. The choice for innovators of all sizes such as Condé Nast, Pinterest and Steelcase, OneLogin manages and secures millions of identities around the globe.