How Vanta uses Okta for identity and access management

In this series, you’ll hear directly from Vanta’s own Security, Enterprise Engineering, and Privacy, Risk, & Compliance Teams to learn about the team’s approach to keeping Vanta secure. We’ll also share some guidance for teams of all sizes — whether you’re just getting started or looking to uplevel your operations. 

‍

In this post, you’ll hear from Bart Tissue, Senior Systems Engineer on our Enterprise Engineering team, who led Vanta’s implementation of Okta.

‍

Using Okta to manage access 

The Vanta Enterprise Engineering team’s mission is to enable our employees to do their best work — and we use Okta to help make this possible. Vanta uses Okta for internal Identity and Access Management (IAM) to help provide a seamless access experience for our employees. Not only do our employees benefit from a simple dashboard for the systems they need behind WebAuthn, but we’re also able to help keep Vanta secure with industry-leading best practices, tooling, and customization.

‍

Behind the scenes, it’s a complex tool that manages automation for access controls, along with ensuring the right individuals have access to the tools they need for their everyday roles. Among Okta’s rich feature set is Okta Workflows, which allow us to automate and orchestrate identity processes. 

‍

Lifecycle management with Okta Workflows 

When the Enterprise Engineering team at Vanta was formed in early 2022, our onboarding process was still very manual. As an example, user accounts for each new hire had to be manually created, which required both time and several steps to ensure this process was handled correctly.

‍

Using Okta Workflows has allowed us to automate this by querying the Google Users API and Groups API to check for identical emails, as well as all other systems in which usernames can be created and be unique. If a match is found, Okta Workflows will create a unique username based on our defined formula. If a match isn’t found, it’ll create a unique account based on our defined formula for all new hires, which eliminates the manual work of double-checking if this account already exists. Not only is this more accurate than requiring a human to manually verify, but it also saves our team a significant amount of work prior to a new hire’s start date.

‍

In addition, offboarding is a sensitive and critical process at all companies. We use Okta Workflows to remove individuals automatically from all SCIM-enabled tools. Okta Workflows also allows us to automate offboarding tasks such as setting up the transfer of files from Google Drive and events from Google Calendar, deleting passwords specific to third-party apps that require email log-in, and removing individuals from our Github org when they no longer should have access.

‍

Use cases for Okta

There are many fun use cases to consider! For instance, we use Okta webhooks to share fun and updates with relevant teams and eliminate manual cross-posting. Some internal examples include:

‍

• For the Vanta Recruiting team: When a candidate is hired, we use Okta to spin up a celebratory message to all teammates who were part of the recruiting and interviewing process. One benefit is that this helps our teams stay informed and better support the new hire as they prepare to join Vanta.
• For the Vanta People team: As part of our onboarding process, all new hires are added to specific channels and calendar events to help welcome them to Vanta and to ensure our People team is able to share important information early on. 

‍

In addition, we use group rules in Okta to automate access groups based on data from our HRIS system to add individuals to specific groups. This allows new hires to be granted access to certain channels, tools, and systems so they’re able to access these tools on their first day, rather than requiring manual requests and approvals for important tools that are part of their everyday workflows.

‍

Partnering for successful implementation 

Given that Okta is ultimately an IAM tool, partnering with our Security team early on allowed us to ensure we had a collective understanding of its setup and a shared trust in management of Okta. We recognize this isn’t always the case, so it’s important to establish this trust and shared understanding up front. 

‍

In addition, as Okta controls access to the bulk of our tools, it was important for us to build partnerships with the main stakeholders (and their teams) of different tools we planned to move behind Okta to define a plan and ensure the transition went smoothly. To do so, we met with teams across Vanta to build partnerships by sharing our goals, offering to help eliminate any manual work, and highlighting capabilities within Okta. By working together to identify opportunities to streamline access to different tools (and building a significant amount of trust along the way), we’ve been able to eliminate hours of weekly manual work for teams across Vanta. 

‍

In the words of a few Engineering Managers at Vanta:

• “You’ve saved me 3-4 hours of manual work per week!”
• “We had a new hire join the team today and they were auto-magically given access to all of the tools and added to all of the right channels!”

‍

Tips for implementation

As with any new tool, it’s important to remember that new tools are like new routines — it takes people time to get used to using them, and it may not be comfortable at first. While Okta has many benefits, it can take employees a bit of practice to get used to the Okta flow.

‍

For our implementation, we decided to start with putting a few tools behind Okta so they’d be visible on the dashboard. Following an All Hands presentation for our staff highlighting the benefits of using Okta, we dove in by inviting all employees and contractors into the tool right away so they’d have their login information set up — and so they’d be able to start establishing a new routine with Okta as their one-stop shop for all tools. 

‍

We provided a clear, step-by-step guide with company-specific screenshots, frequently asked questions, and a defined timeline so our staff could set up Okta on their own. During our implementation period, we also provided timely reminders to anyone who hadn’t set up Okta yet — and we continue to use the same channels to communicate important updates that might affect end users when they arise.

‍

While every company is different, here are some general tips:

‍

• Determine your timeline for migration, and err on the side of overcommunicating this with any individuals ahead of time. This is especially helpful for managers and your leadership team, and be sure to provide a clear ask so they can help support your implementation.
• Create resources that allow your employees to take steps on their own when needed, such as implementation guides, and try to anticipate and answer challenges and questions that your staff may encounter in the process.
• Highlight the benefits of a tool like Okta to help ensure your employees understand why they’re being asked to change their workflow — and how to more effectively access the tools they need going forward.
• Identify the best channel for company wide communication, whether a specific Slack channel, email, intranet post, or other method that works for your team and company. Be sure to communicate concise, relevant updates where needed to ensure your employees know what to expect, and when.

‍