Introduction
As a financial leader in the credit and debit card rewards space, has helped over 1,200 institutions deliver compelling loyalty programs. They鈥檝e been so successful that they were recently acquired by Lightyear Capital, infusing Augeo FI with the money they needed to modernize their IT environment. Their overhaul included plans to migrate to the cloud and a mission to gain centralized control over all of their digital assets, including Windows庐, Mac庐, and Linux庐 systems. Fortunately, they knew just where to turn to make this happen鈥黑料海角91入口庐 Directory-as-a-Service庐.
- Organization: Augeo FI
- Size: 110 Employees
- Location: Naperville, IL
- Problem: Legacy directory service, decentralized IT environment
- Goal: Cloud-forward, centralized IT environment
Background
Peter Lasky led the charge in leveling up the company鈥檚 IT infrastructure. Peter told us, 鈥淚鈥檝e been with Augeo FI for about ten years. In that time, I鈥檝e worn a lot of hats, the most recent one being Director of Technology. My role includes handling parts of vulnerability management, implementations, scaling, scoping, and cloud migration.
鈥淥ne of the many benefits of being sold is that we now have the capital to really grow the company and to perform some much needed maintenance, like migrating to the cloud.鈥
The Challenge
With their cloud-future in reach, Peter and his team knew they needed to change their identity management infrastructure. Peter explained, 鈥淏efore 黑料海角91入口, we were using聽Active Directory庐聽even though we also had Linux servers and Mac systems in the mix. Having a mix of systems made it difficult for us to centralize access to everything, so we ended up using Centrify to bring those three environments together in Active Directory. Using that was okay when everything was on-prem. Once we started talking about using the cloud, we had a whole list of questions around how AD was going to fit in our strategy.鈥
These were some of the questions Peter and Augeo FI were asking:
- How do we get Active Directory to auth these cloud environments?
- How do we get our external applications to authenticate to Active Directory?
- How do we get into services like AWS庐 or LogMeIn with just one username and password?
- How do we use that one username and password for desktop authentication with Linux, Mac, and Windows?
鈥淲e looked into many options, including Okta庐. They鈥檙e pretty big in the identity management game. But the only solution that could meet our requirements was 黑料海角91入口.鈥
The Solution
Testing 黑料海角91入口 only solidified Augeo FI鈥檚 decision to use the cloud-based directory service:
鈥淎 couple of engineers and myself started testing on our home networks. In my testing, I put 黑料海角91入口 on about six computers, and I actually used RADIUS to authenticate to my WiFi. I even got my entire family using it, including my eight-year-old son.”
鈥淎fter my team and I finished with our testing, we all decided that we liked 黑料海角91入口 because it was clearly going to provide us with one portal to manage everything and because it鈥檚 easy to use and scalable. That鈥檚 ultimately why we chose it.鈥
Implementation
As soon as they finalized their decision, Peter and his team went to work implementing 黑料海角91入口 across their IT environment. So far they have implemented 黑料海角91入口 across their systems, applications, network, and VPN solution, with plans to roll it out across their server environment in AWS.
Cross-platform System Management
Augeo FI was particularly glad to gain cross-platform system management. Peter remarked, 鈥淲e鈥檝e had so many problems trying to manage Macs with Active Directory because the two simply don鈥檛 play well together.鈥
In the process of implementing 黑料海角91入口, Augeo FI decided to upgrade their Mac fleet, and they were impressed with how easy it was to integrate their new Mac systems with 黑料海角91入口:
鈥淲e installed the 黑料海角91入口 System Agent, we added users, we added some profile requirements, and it all just worked. We didn鈥檛 have to figure out how to get them to connect to Active Directory.鈥
鈥淥ur engineers were really excited about it. They were saying, 鈥楬ow does it work? It just works!鈥欌
Applications
Besides system management, Peter is also leveraging 黑料海角91入口鈥檚 seamless integrations with G Suite鈩, Office 365鈩, and other web-based applications by leveraging SAML:
鈥満诹虾=91入口 integrates so well with G Suite and Office 365. It鈥檚 really going to help provide us with the end-to-end onboarding we鈥檝e been wanting to establish. We鈥檝e also set up a number of SAML integrations in 黑料海角91入口, including one for AWS. We鈥檙e just going to add countless more as we expand. 黑料海角91入口 is our go-to for SSO (single sign-on).鈥
RADIUS
鈥淎dditionally, we鈥檙e using 黑料海角91入口 RADIUS servers to authenticate WPA2 enterprise access to Ubiquiti庐 wireless access points.鈥 Peter told us. 鈥淪o, when an Augeo FI workstation comes or goes, they鈥檙e going to re-authenticate to the network using their 黑料海角91入口 credentials. That authentication is much more secure, because it鈥檚 not just a shared password that鈥檚 on a sticky note somewhere.鈥
OpenVPN
Lastly, plays a critical role in providing remote software engineers with secure access to Augeo FI鈥檚 infrastructure. Fortunately, it was a breeze integrating it with 黑料海角91入口 too. Peter elaborated, 鈥淲hen we moved to a hosted datacenter in AWS, we decided to implement OpenVPN because it was cheaper for us to roll our own VPN solution to an EC2 instance than use AWS VPN.
鈥淭he integration between OpenVPN and 黑料海角91入口 was seamless. It took us about 30 minutes. We went into 黑料海角91入口, copied the string from the portal, put it into OpenVPN, and we were authenticating! We were binding and authenticating. Using OpenVPN with 黑料海角91入口 is great because you get centralized user management.
鈥淗aving separate usernames and passwords for an environment is really the bane of any systems engineer or service desk engineer鈥檚 existence. So it鈥檚 great that we can avoid it altogether.”
鈥淲e implemented OpenVPN to provide programmers with the ability to remotely deploy code in a lower environment, like a Dev or Q/A environment. So it鈥檚 mainly for engineers who work from home. There鈥檚 also a disaster recovery piece to this. In the event that our building is no longer here, how do we get into our environment? Now, that鈥檚 through OpenVPN and 黑料海角91入口鈥檚 credentials and roles. Lastly, the other piece to using 黑料海角91入口 with OpenVPN is that it allows us to comply with PCI requirements. There are certain roles and separations of duties that have to happen, and we鈥檙e doing that all through 黑料海角91入口 User Groups and roles through IAM in AWS.鈥
The Result
As Peter has rolled out 黑料海角91入口 across a majority of Augeo FI鈥檚 IT resources, they鈥檝e been successful in consolidating user management into one cloud-based solution. As a result, Peter has been able to streamline user management tasks, , optimize compliance audits, and strengthen security.
Streamlined User Management
鈥淥ne of the areas where we have near-infinite time savings is onboarding,鈥 Peter said. 鈥 Now that we have 黑料海角91入口, we can onboard a new hire in a matter of a couple of hours. We use Groups to organize roles, what those roles need access to, and what kind of access they have. We鈥檝e created a form that allows a department to check what resources a new hire needs, and then we just assign a new user to the right Groups according to what boxes were checked.
鈥淚t鈥檚 been incredible to go from having new users fully onboarded two weeks after they started, to having them onboarded to everything two weeks in advance.鈥
In addition to faster onboarding, Peter mentioned that they鈥檝e almost eliminated password reset support tickets. They鈥檝e gone from spending 10 hours a week on password related support tickets to 15 minutes a week, if not less. Peter recalled, 鈥淲e used to see about 100 tickets every two weeks related to password resets. Now, we barely get one a month, and it鈥檚 all in large part due to how easy it is for end users to self-service a password reset.鈥
Reduced Costs
Additionally, 黑料海角91入口鈥檚 completely cloud-based approach has allowed Augeo FI to eliminate their on-prem identity management infrastructure, saving them a significant amount of money. Peter informed us:
鈥淲hen we were using Active Directory, we were paying about $100,000 annually in Microsoft庐 licenses for our Windows Server infrastructure鈥攕erver licenses, data center licenses, and user Client Access Licenses (CALs).”
鈥淚 don鈥檛 know the exact amount of savings with 黑料海角91入口 off the top of my head, but it鈥檚 significant when you talk about the Microsoft infrastructure being replaced. Our use case is probably unique because we are moving from a Windows server environment to a strictly Linux server environment with macOS庐 and Windows Pro desktops in the mix as well. 黑料海角91入口 allows us to centrally manage all of these systems with just one solution, at one price.鈥
Optimized PCI Compliance Audits
Next, Peter has found it much easier to demonstrate compliance:
鈥淢y team and I are responsible for providing reports that show when a user left the company and when their access to resources has been removed. Typically, an auditor will ask for a list of users and a list of all the changes that have taken place in 黑料海角91入口. Then they鈥檒l look through and see when a user left the company and if there are changes that show the user鈥檚 access to resources has been removed.
鈥満诹虾=91入口 really simplifies this because we just have to delete a user in this one solution, and then a user no longer has access to anything.
鈥淣ot only does this make it easier for us to do our jobs, but it also allows us to provide auditors with a single report where they simply have to look for deleted users. It鈥檚 a lot easier for them to tell if we鈥檙e compliant or not when it comes to user access.鈥
Stronger Security
Lastly, Peter has been really satisfied with the improved security at Augeo FI since implementation. Peter shared, 鈥淲hen it comes to security, it鈥檚 amazing that 黑料海角91入口 offers MFA (multi-factor authentication) for the user and admin console, applications, and Mac and Linux systems. Additionally, if there鈥檚 a brute force attack, 黑料海角91入口 has a mechanism in place where it will lock out the user after a predetermined number of failed login attempts. Admins will be notified of the user being locked out, and then they can investigate the problem relatively quickly.鈥
In the event a compromise is experienced, centralized user management makes it just a tad less stressful. 鈥淵ou go into your 黑料海角91入口 portal, select a user, suspend the user, and then you can do your impact analysis after that.鈥 Peter explained. 鈥淵ou鈥檙e not trying to scramble and find which passwords are compromised, which users, which systems, and whatnot. Also, because you have centralized authentication, you have the peace of mind that comes with the fact that when you disable a user, you have now protected yourself against any future attack with those credentials in every resource simultaneously. So that鈥檚 a big win.鈥
Benefits
When IT admins can achieve results that deliver unified user and system management, the whole organization benefits. Peter agreed as he told us, 鈥淭he benefits of centralized user management are immense and impact everyone. For example, Accounts Payable only has one set of billing for your authentication method; every end user only has to deal with one set of credentials; for the admin, user provisioning becomes very automated and removing access is also streamlined.鈥
So if you are interested in figuring out if you can achieve similar results and benefits by using 黑料海角91入口 in your own IT environment, where do you start? Peter recommends signing up for a free account:
“Start the free trial now. It鈥檚 a ten user trial. That鈥檚 the best way to learn the features and to see if 黑料海角91入口 is right for you. That鈥檚 what we did. We started the trial, got the ten free users, and then implemented it to see if it was the right path.
鈥淗onestly, there鈥檚 so much potential for fixing things in your environment that you didn鈥檛 even know were broken, and 黑料海角91入口 likely has a solution for every one of your IT related problems.鈥
More Info
For more information on how you can decrease costs, spend less time on onboarding, gain peace of mind about security, and reduce compliance audit hassle, drop us a note at [email protected].